[jdk8u-dev] RFR: 8278851: Correct signer logic for jars signed with multiple digest algorithms
Andrew John Hughes
andrew at openjdk.org
Fri Apr 7 17:43:49 UTC 2023
On Fri, 10 Mar 2023 17:35:19 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
> Please review this backport which fixes a regression new in 8u362 due to [JDK-8269039](https://bugs.openjdk.org/browse/JDK-8269039). For some jars which are signed with an obsolete digest algorithm, after JDK-8269039, they're treated as unsigned even though one of the signatories used a valid (non-obsolete) digest algo.
>
> The backport is not clean, mainly because of JDK-8275887 (which in 11u wasn't present when that bug was backported), copyright headers and different test infra in 8u. So the test looks a bit different so that it works on 8u. All of the changes are fairly trivial to resolve. Changes in `SecurityUtils.java` aren't needed as 8u-dev already has them.
>
> Testing:
> - [x] `jdk/test/sun/security/tools/jarsigner` tests pass.
> - [x] new regression test. Fails prior product fix, passes after.
8u backport looks correct. I had the same comment about `List.of` vs `asList` as Martin. It's not worth changing here, but, given how frequently this comes up, we should probably look at having a utility method to handle the conversion.
I see the lack of [JDK-8056174](https://bugs.openjdk.org/browse/JDK-8056174) results in having to rewrite the signJarFile method completely to call the external program, as there is no programmatic access to jar signing. Too risky to backport this just for a nicer test.
Approved for 8u
-------------
Marked as reviewed by andrew (Reviewer).
PR Review: https://git.openjdk.org/jdk8u-dev/pull/282#pullrequestreview-1376428062
More information about the jdk8u-dev
mailing list