RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned
Jim Laskey (Oracle)
james.laskey at oracle.com
Mon Nov 7 14:11:34 UTC 2016
The security entries are (have been) ignored when building the image. At some future date (post-9), we need to decide how to sign an image.
— Jim
> On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
>
> The code block below checking if a jar file was signed is correct.
>
> There is one thing I don't understand, the --strip-signing-information option. It looks like you will remove the signature-related files if this option is set. But, where are they stripped?
>
> Thanks
> Max
>
> On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote:
>> Apologies for the poor links earlier.
>>
>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>
>>
>>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>>>
>>> Revising to
>>>
>>> String name = entry.name().toUpperCase(Locale.ENGLISH);
>>>
>>> return name.startsWith("META-INF/") && name.indexOf('/', 9) == -1 && (
>>> name.endsWith(".SF") ||
>>> name.endsWith(".DSA") ||
>>> name.endsWith(".RSA") ||
>>> name.endsWith(".EC") ||
>>> name.startsWith("META-INF/SIG-")
>>> );
>>>
>>>
>>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>>>>
>>>> Right. From SignatureFileVerifier.java
>>>>
>>>>
>>>> /**
>>>> * Utility method used by JarVerifier and JarSigner
>>>> * to determine the signature file names and PKCS7 block
>>>> * files names that are supported
>>>> *
>>>> * @param s file name
>>>> * @return true if the input file name is a supported
>>>> * Signature File or PKCS7 block file name
>>>> */
>>>> public static boolean isBlockOrSF(String s) {
>>>> // we currently only support DSA and RSA PKCS7 blocks
>>>> return s.endsWith(".SF")
>>>> || s.endsWith(".DSA")
>>>> || s.endsWith(".RSA")
>>>> || s.endsWith(".EC");
>>>> }
>>>>
>>>> /**
>>>> * Yet another utility method used by JarVerifier and JarSigner
>>>> * to determine what files are signature related, which includes
>>>> * the MANIFEST, SF files, known signature block files, and other
>>>> * unknown signature related files (those starting with SIG- with
>>>> * an optional [A-Z0-9]{1,3} extension right inside META-INF).
>>>> *
>>>> * @param name file name
>>>> * @return true if the input file name is signature related
>>>> */
>>>> public static boolean isSigningRelated(String name) {
>>>> name = name.toUpperCase(Locale.ENGLISH);
>>>> if (!name.startsWith("META-INF/")) {
>>>> return false;
>>>> }
>>>> name = name.substring(9);
>>>> if (name.indexOf('/') != -1) {
>>>> return false;
>>>> }
>>>> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
>>>> return true;
>>>> } else if (name.startsWith("SIG-")) {
>>>> // check filename extension
>>>> // see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
>>>> // for what filename extensions are legal
>>>> int extIndex = name.lastIndexOf('.');
>>>> if (extIndex != -1) {
>>>> String ext = name.substring(extIndex + 1);
>>>> // validate length first
>>>> if (ext.length() > 3 || ext.length() < 1) {
>>>> return false;
>>>> }
>>>> // then check chars, must be in [a-zA-Z0-9] per the jar spec
>>>> for (int index = 0; index < ext.length(); index++) {
>>>> char cc = ext.charAt(index);
>>>> // chars are promoted to uppercase so skip lowercase checks
>>>> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) {
>>>> return false;
>>>> }
>>>> }
>>>> }
>>>> return true; // no extension is OK
>>>> }
>>>> return false;
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>>>>>
>>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
>>>>>
>>>>>> Thank you. Regarding SIG- I was just followed the spec.
>>>>>>
>>>>> I hope Sean or Max can jump in on this, the other question is .EC as I believe the JDK allows this when signing too.
>>>>>
>>>>> -Alan
>>>>
>>>
>>
More information about the jigsaw-dev
mailing list