[Bug 659] New: IcedTea6 rejects partially-signed jar files

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Thu Mar 3 14:58:31 PST 2011


           Summary: IcedTea6 rejects partially-signed jar files
           Product: IcedTea
           Version: 6-1.9.5
          Platform: all
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: IcedTea6
        AssignedTo: unassigned at icedtea.classpath.org
        ReportedBy: eddygeez at gmail.com

Prior to 6-1.9.5, javaws would allow JNLP files that referenced jar files that
had unsigned entries.

Starting with 6-1.9.5, use of such jars results in the exception:

net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant
permissions to unsigned jars.

Running 'jarsigner -verify -verbose filename.jar' on one of the jar files in
question results in this warning:

| ...
| jar verified.
| Warning: 
| This jar contains unsigned entries which have not been integrity-checked. 

Using 6-1.9.4, this JNLP/jar combo launches OK, but not under 6-1.9.5.

More importantly, using java-1_6_0-sun-1.6.0.u24-0.2.1, this JNLP/jar combo
*also* launches OK.

It seems logical that a partially-signed .jar file is a security vulnerability.
However, in order to maintain compatibility with the proprietary JDK6, perhaps
an "exception dialog" (similar to what is presented for self-signed jars)
should be presented, allowing the user to grant an exception for such
partially-signed JNLP/jar files.

Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the distro-pkg-dev mailing list