[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v2]
Alexey Bakhtin
abakhtin at openjdk.org
Thu Nov 17 08:32:38 UTC 2022
On Thu, 17 Nov 2022 06:58:36 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>>
>> test fixes
>
> I've verified that test `oldsig.sh` passes with and without SHA1. This is because even if a disabled algorithm is used for signing or if a disabled algorithm is found when verifying a signature, `jarsigner` returns `0`. While the jar is actually signed, the verification fails and the jar is considered unsigned. The test should do better in the assertion statement, for example by checking `sm ... B.class` in a verbose output. The test in later JDK releases has been fixed and the assertion statement improved.
>
> @alexeybakhtin, my suggestion would be to backport the JDK-11 OldSig.java test to JDK-8. I agree with you that doing all the .sh -> .Java test conversions is out of the scope of this backport, but I would make an exception for the case discussed here because, otherwise, we would be having a broken/useless test in JDK-8. I'm also open to consider adding a better assertion statement to the current .sh test. What do you think?
@martinuy, thank you for the review again.
I've updated the existing oldsig.sh and added OldSig.props file. Now test validates the signature.
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/154
More information about the jdk8u-dev
mailing list