RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned
Alan Bateman
Alan.Bateman at oracle.com
Mon Nov 7 12:40:39 UTC 2016
n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
> https://bugs.openjdk.java.net/browse/JDK-8159393
>
I think this is the link:
http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
I hope someone from the security area will be able to help review this.
One thing that isn't clear to me is whether the check for META-INF/SIG-*
is right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align
with how JAR file verification checks for signed JARs.
In passing, should the usage and warning use "modular JAR" rather than
"modular jar"?
-Alan
More information about the jigsaw-dev
mailing list