[icedtea-web] RFC: do not check INDEX.LIST for being signed
Omair Majid
omajid at redhat.com
Fri Feb 11 16:28:25 PST 2011
Hi,
The attached patch modifies JarSigner so that we do not verify the jar
index.
There are some applications that contain jars with all entries except
the jar index signed. See
https://bugzilla.redhat.com/show_bug.cgi?id=675271 for an example.
The jar index contains a list of jars and packages inside them. Our
classloader uses it to look up where (in the same domain) it might look
for additional jars if some classes can not be found. The jar index does
not say anything about those particular jars being signed, nor does it
contain any signatures for those classes. The effect of the jar index
being modified should be the same as the archive tag in an applet tag
being modified (or the jar element in a jnlp file being modified) - and
we dont verify jnlp files or web pages as being signed.
More information about the jar index can be found at [1].
All in all, I dont think not verifying signatures on jar index will have
any security impact. If no one has issues with the patch, I would like
to add it to icedtea-web HEAD.
Thoughts? Comments?
Cheers,
Omair
[1]
http://download.oracle.com/javase/6/docs/technotes/guides/jar/jar.html#JARIndex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ignore-unsigned-index-list.patch
Type: text/x-patch
Size: 1060 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110211/02362a82/ignore-unsigned-index-list.patch
More information about the distro-pkg-dev
mailing list