[Bug 3532] Cannot grant permissions to unsigned jars

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Tue Mar 6 11:08:30 UTC 2018 

https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3532

JiriVanek <jvanek at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #9 from JiriVanek <jvanek at redhat.com> ---
According to spec:
        <jar href="release/JViewer.jar"/>
        <jar href="release/JViewer-SOC.jar"/>
        <nativelib href="release/Win32.jar"/>
           <nativelib href="release/Win64.jar"/>
        <nativelib href="release/Linux_x86_32.jar"/>
        <nativelib href="release/Linux_x86_64.jar"/>
    <nativelib href="release/Mac32.jar"/>
    <nativelib href="release/Mac64.jar"/>


I need the Linux_x86_64.jar too. But I reprodcued with current jars already.
See:

 jvanek  jvanek  11:55:09  ~  Desktop  jviwer  $  jarsigner -verify
JViewer.jar 

The jar will be treated as unsigned, because it is signed with a weak algorithm
that is now disabled.

Re-run jarsigner with the -verbose option for more details.
 jvanek  jvanek  11:55:16  ~  Desktop  jviwer  $  jarsigner -verify
-verbose JViewer-SOC.jar 

        2555 Tue Jan 21 17:16:18 CET 2014 META-INF/MANIFEST.MF
        2676 Tue Jan 21 17:16:18 CET 2014 META-INF/RKVM_SIG.SF
        5331 Tue Jan 21 17:16:18 CET 2014 META-INF/RKVM_SIG.RSA
...
 m       521 Tue Jan 21 17:16:18 CET 2014
com/ami/kvm/jviewer/soc/SOCIVTPPktHdr.class
...
 m      5062 Tue Jan 21 17:16:18 CET 2014
com/ami/kvm/jviewer/soc/SOCFrameHdr.class

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "CN=American Megatrends Inc., OU=MegaRAC, OU=Digital ID Class 3 -
Java Object Signing, O=American Megatrends Inc., L=Norcorss, ST=Georgia, C=US"
    Digest algorithm: SHA1
    Signature algorithm: MD5withRSA (weak), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak
algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024



So you see the isue now, I guess.  
Also You can see that it is not issue in ITW, but in latest JDK.   AlsoYou see
how to fix it Iguess.

If not, then edit java.security :

 grep jdk.jar.disabledAlgorithms $(dirname $(readlink -f $(which
java)))/..//lib/security/java.security
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024


And remove MD5 and probabkly also RSA entries. But be aware! There vere many
reasons why those werebalcklisted!  

Much better approach would be to re-sign the jars or ask vendor to fix this for
you (The application was compiled by jdk 1.5!!!)



Last note - ITW 1.8 have "improved" --nosecurity to workaround this kind of
issue (as they become multiplying) and the patch was backported to 1.7.
However,  latest stable 1.7 was released *before* this patch.  And It will not
(like never i'm afraid)  make it to Centos6.  It is currently in Fedora (as rpm
patch) if you prefere custom rpm instead of hacked java.security 

f27 (no plugin anymore)
https://koji.fedoraproject.org/koji/buildinfo?buildID=1052515
f26 (Still with plugin)
https://koji.fedoraproject.org/koji/buildinfo?buildID=1052516

So thats it....

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20180306/fecd9310/attachment-0001.html>

More information about the distro-pkg-dev mailing list