[jdk8u-dev] RFR: 8278851: Correct signer logic for jars signed with multiple digest algorithms
Severin Gehwolf
sgehwolf at openjdk.org
Wed Mar 15 19:49:26 UTC 2023
On Fri, 10 Mar 2023 17:35:19 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
> Please review this backport which fixes a regression new in 8u362 due to [JDK-8269039](https://bugs.openjdk.org/browse/JDK-8269039). For some jars which are signed with an obsolete digest algorithm, after JDK-8269039, they're treated as unsigned even though one of the signatories used a valid (non-obsolete) digest algo.
>
> The backport is not clean, mainly because of JDK-8275887 (which in 11u wasn't present when that bug was backported), copyright headers and different test infra in 8u. So the test looks a bit different so that it works on 8u. All of the changes are fairly trivial to resolve. Changes in `SecurityUtils.java` aren't needed as 8u-dev already has them.
>
> Testing:
> - [x] `jdk/test/sun/security/tools/jarsigner` tests pass.
> - [x] new regression test. Fails prior product fix, passes after.
Thanks for the review!
> Minor note —which is not worth any change to the current proposal, in my view—: the list that _List.of_ returns is unmodifiable, which is not the case for _Arrays.asList_.
OK. I could wrap it in `Collections.unmodifiableList(...)`, but it's probably not worth it in this case.
> Just out of curiosity, was there a reason for placing _JarWithOneNonDisabledDigestAlg_ into a new _disdigest_ directory? I see that in 11u and above is in the _jarsigner_ directory.
Yes, the test failed when adding to the `jarsigner` directory directly. At least when the full suite of tests was run in the `jarsigner` directory. If I remember correctly, this caused some weird CNFE.
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/282
More information about the jdk8u-dev
mailing list