[icedtea-web] RFC: do not check INDEX.LIST for being signed

Omair Majid omajid at redhat.com
Fri Feb 11 16:28:25 PST 2011


Hi,

The attached patch modifies JarSigner so that we do not verify the jar 
index.

There are some applications that contain jars with all entries except 
the jar index signed. See 
https://bugzilla.redhat.com/show_bug.cgi?id=675271 for an example.

The jar index contains a list of jars and packages inside them. Our 
classloader uses it to look up where (in the same domain) it might look 
for additional jars if some classes can not be found. The jar index does 
not say anything about those particular jars being signed, nor does it 
contain any signatures for those classes. The effect of the jar index 
being modified should be the same as the archive tag in an applet tag 
being modified (or the jar element in a jnlp file being modified) - and 
we dont verify jnlp files or web pages as being signed.

More information about the jar index can be found at [1].

All in all, I dont think not verifying signatures on jar index will have 
any security impact. If no one has issues with the patch, I would like 
to add it to icedtea-web HEAD.

Thoughts? Comments?

Cheers,
Omair

[1] 
http://download.oracle.com/javase/6/docs/technotes/guides/jar/jar.html#JARIndex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ignore-unsigned-index-list.patch
Type: text/x-patch
Size: 1060 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110211/02362a82/ignore-unsigned-index-list.patch 


More information about the distro-pkg-dev mailing list