RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned
Jim Laskey (Oracle)
james.laskey at oracle.com
Mon Nov 7 13:13:05 UTC 2016
But I need to be more careful with "Note that if such files are located in META-INF subdirectories, they are not considered signature-related.”
> On Nov 7, 2016, at 9:09 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>
> Thank you. Regarding SIG- I was just followed the spec.
>
>
> Signed JAR File
> <>Overview
> A JAR file can be signed by using the command line jarsigner <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SecurityToolsSummary.html> tool or directly through the java.security API. Every file entry, including non-signature related files in the META-INF directory, will be signed if the JAR file is signed by the jarsigner tool. The signature related files are:
> META-INF/MANIFEST.MF
> META-INF/*.SF
> META-INF/*.DSA
> META-INF/*.RSA
> META-INF/SIG-*
> Note that if such files are located in META-INF subdirectories, they are not considered signature-related. Case-insensitive versions of these filenames are reserved and will also not be signed.
> Subsets of a JAR file can be signed by using the java.security API. A signed JAR file is exactly the same as the original JAR file, except that its manifest is updated and two additional files are added to the META-INF directory: a signature file and a signature block file. When jarsigner is not used, the signing program has to construct both the signature file and the signature block file.
>
>
>> On Nov 7, 2016, at 8:40 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>>
>>
>> n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
>>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
>>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>>
>> I think this is the link:
>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>>
>> I hope someone from the security area will be able to help review this. One thing that isn't clear to me is whether the check for META-INF/SIG-* is right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align with how JAR file verification checks for signed JARs.
>>
>> In passing, should the usage and warning use "modular JAR" rather than "modular jar"?
>>
>> -Alan
>>
>
More information about the jigsaw-dev
mailing list