[jdk8u-dev] Integrated: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

Andrew John Hughes andrew at openjdk.org
Fri Nov 24 14:47:16 UTC 2023


On Wed, 11 Oct 2023 00:57:35 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:

> The security fix, JDK-8300596, introduced a maximum size for signature-related files in JAR files, via the `jdk.jar.maxSignatureFileSize` property. The default value of 8MB has since proven to be too low for some JARs in general use. This change doubles it to 16MB, while still being much lower than the previous `MAX_ARRAY_SIZE` value of `Integer.MAX_VALUE - 8`
> 
> This pull request contains a backport of commit [e47a84f2](https://github.com/openjdk/jdk/commit/e47a84f23dd2608c6f5748093eefe301fb5bf750) from the [openjdk/jdk](https://git.openjdk.org/jdk) repository.  After path shuffling, the `SignatureFileVerifier.java` changes had to be applied manually due to the lack of `GetIntegerAction.privilegedGetProperty` in 8u. The actual changes are the same as for 11u+. Comparing the two patches:
> 
> ~~~
> +@@ -855,16 +855,16 @@ public class SignatureFileVerifier {
>            * the maximum allowed number of bytes for the signature-related files
>            * in a JAR file.
>            */
> --        Integer tmp = GetIntegerAction.privilegedGetProperty(
> --                "jdk.jar.maxSignatureFileSize", 8000000);
> -+        int tmp = GetIntegerAction.privilegedGetProperty(
> -+                "jdk.jar.maxSignatureFileSize", 16000000);
> +-        Integer tmp = AccessController.doPrivileged(new GetIntegerAction(
> +-                "jdk.jar.maxSignatureFileSize", 8000000));
> ++        int tmp = AccessController.doPrivileged(new GetIntegerAction(
> ++                "jdk.jar.maxSignatureFileSize", 16000000));
>           if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
>               if (debug != null) {
>  -                debug.println("Default signature file size 8000000 bytes " +
> ~~~
> 
> The commit being backported was authored by Hai-May Chao on 31 Jul 2023 and was reviewed by Sean Mullan and Matthias Baesken.

This pull request has now been integrated.

Changeset: b372b4b5
Author:    Andrew John Hughes <andrew at openjdk.org>
URL:       https://git.openjdk.org/jdk8u-dev/commit/b372b4b502cb07eb3477c8ba1fbc8393b1bd56ff
Stats:     9 lines in 2 files changed: 2 ins; 0 del; 7 mod

8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

Reviewed-by: sgehwolf
Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750

-------------

PR: https://git.openjdk.org/jdk8u-dev/pull/381


More information about the jdk8u-dev mailing list