RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned
Jim Laskey (Oracle)
james.laskey at oracle.com
Mon Nov 7 13:09:19 UTC 2016
Thank you. Regarding SIG- I was just followed the spec.
Signed JAR File
<>Overview
A JAR file can be signed by using the command line jarsigner <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SecurityToolsSummary.html> tool or directly through the java.security API. Every file entry, including non-signature related files in the META-INF directory, will be signed if the JAR file is signed by the jarsigner tool. The signature related files are:
META-INF/MANIFEST.MF
META-INF/*.SF
META-INF/*.DSA
META-INF/*.RSA
META-INF/SIG-*
Note that if such files are located in META-INF subdirectories, they are not considered signature-related. Case-insensitive versions of these filenames are reserved and will also not be signed.
Subsets of a JAR file can be signed by using the java.security API. A signed JAR file is exactly the same as the original JAR file, except that its manifest is updated and two additional files are added to the META-INF directory: a signature file and a signature block file. When jarsigner is not used, the signing program has to construct both the signature file and the signature block file.
> On Nov 7, 2016, at 8:40 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>
>
> n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>
> I think this is the link:
> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>
> I hope someone from the security area will be able to help review this. One thing that isn't clear to me is whether the check for META-INF/SIG-* is right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align with how JAR file verification checks for signed JARs.
>
> In passing, should the usage and warning use "modular JAR" rather than "modular jar"?
>
> -Alan
>
More information about the jigsaw-dev
mailing list