[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v2]

Martin Balao mbalao at openjdk.org
Thu Nov 17 15:55:28 UTC 2022 

On Thu, 17 Nov 2022 08:30:01 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:

>> I've verified that test `oldsig.sh` passes with and without SHA1. This is because even if a disabled algorithm is used for signing or if a disabled algorithm is found when verifying a signature, `jarsigner` returns `0`. While the jar is actually signed, the verification fails and the jar is considered unsigned. The test should do better in the assertion statement, for example by checking `sm  ... B.class` in a verbose output. The test in later JDK releases has been fixed and the assertion statement improved.
>> 
>> @alexeybakhtin, my suggestion would be to backport the JDK-11 OldSig.java test to JDK-8. I agree with you that doing all the .sh -> .Java test conversions is out of the scope of this backport, but I would make an exception for the case discussed here because, otherwise, we would be having a broken/useless test in JDK-8. I'm also open to consider adding a better assertion statement to the current .sh test. What do you think?
>
> @martinuy, thank you for the review again.
> I've updated the existing oldsig.sh and added OldSig.props file. Now test validates the signature.

@alexeybakhtin , thanks for addressing this concern.

What do you think about the following (minor) change to your proposal?

diff --git a/jdk/test/sun/security/tools/jarsigner/oldsig.sh b/jdk/test/sun/security/tools/jarsigner/oldsig.sh
index fcc2293d5d..5c8e328367 100644
--- a/jdk/test/sun/security/tools/jarsigner/oldsig.sh
+++ b/jdk/test/sun/security/tools/jarsigner/oldsig.sh
@@ -79,7 +79,8 @@ ${TESTJAVA}${FS}bin${FS}jarsigner \
     -digestalg SHA1 \
     B.jar c
 
-echo "${TESTJAVA}${FS}bin${FS}jarsigner -verify ${KS_ARGS} ${PROP_ARGS} -verbose B.jar"
-LINES=`${TESTJAVA}${FS}bin${FS}jarsigner -verify ${KS_ARGS} ${PROP_ARGS} -verbose B.jar | grep smk | grep B.class | wc -l`
+JAR_VERIFY_CMD="${TESTJAVA}${FS}bin${FS}jarsigner -verify ${KS_ARGS} ${PROP_ARGS} -verbose B.jar"
+echo ${JAR_VERIFY_CMD}
+LINES=`${JAR_VERIFY_CMD} | grep smk | grep B.class | wc -l`
 [ $LINES = 1 ] || exit 1

-------------

PR: https://git.openjdk.org/jdk8u-dev/pull/154

More information about the jdk8u-dev mailing list