[Bug 659] New: IcedTea6 rejects partially-signed jar files
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Thu Mar 3 14:58:31 PST 2011
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=659
Summary: IcedTea6 rejects partially-signed jar files
Product: IcedTea
Version: 6-1.9.5
Platform: all
OS/Version: Linux
Status: NEW
Severity: major
Priority: P5
Component: IcedTea6
AssignedTo: unassigned at icedtea.classpath.org
ReportedBy: eddygeez at gmail.com
Prior to 6-1.9.5, javaws would allow JNLP files that referenced jar files that
had unsigned entries.
Starting with 6-1.9.5, use of such jars results in the exception:
net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant
permissions to unsigned jars.
Running 'jarsigner -verify -verbose filename.jar' on one of the jar files in
question results in this warning:
| ...
| jar verified.
|
| Warning:
| This jar contains unsigned entries which have not been integrity-checked.
Using 6-1.9.4, this JNLP/jar combo launches OK, but not under 6-1.9.5.
More importantly, using java-1_6_0-sun-1.6.0.u24-0.2.1, this JNLP/jar combo
*also* launches OK.
It seems logical that a partially-signed .jar file is a security vulnerability.
However, in order to maintain compatibility with the proprietary JDK6, perhaps
an "exception dialog" (similar to what is presented for self-signed jars)
should be presented, allowing the user to grant an exception for such
partially-signed JNLP/jar files.
--
Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the distro-pkg-dev
mailing list