[icedtea-web] RFC: do not check INDEX.LIST for being signed
Omair Majid
omajid at redhat.com
Wed Mar 23 08:28:55 PDT 2011
On 02/11/2011 07:28 PM, Omair Majid wrote:
> Hi,
>
> The attached patch modifies JarSigner so that we do not verify the jar
> index.
>
> There are some applications that contain jars with all entries except
> the jar index signed. See
> https://bugzilla.redhat.com/show_bug.cgi?id=675271 for an example.
>
> The jar index contains a list of jars and packages inside them. Our
> classloader uses it to look up where (in the same domain) it might look
> for additional jars if some classes can not be found. The jar index does
> not say anything about those particular jars being signed, nor does it
> contain any signatures for those classes. The effect of the jar index
> being modified should be the same as the archive tag in an applet tag
> being modified (or the jar element in a jnlp file being modified) - and
> we dont verify jnlp files or web pages as being signed.
>
> More information about the jar index can be found at [1].
>
> All in all, I dont think not verifying signatures on jar index will have
> any security impact. If no one has issues with the patch, I would like
> to add it to icedtea-web HEAD.
>
> Thoughts? Comments?
>
Anyone?
Thanks,
Omair
More information about the distro-pkg-dev
mailing list