RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned

Wang Weijun weijun.wang at oracle.com
Mon Nov 7 14:33:12 UTC 2016 

Great. I asked the question because you will need the exact same check to determine what files should be ignored and I thought they should appear in the same webrev. If it's already done somewhere else please make sure it is the same. 

Thanks
Max

> 在 2016年11月7日,22:11,Jim Laskey (Oracle) <james.laskey at oracle.com> 写道:
> 
> The security entries are (have been) ignored when building the image.  At some future date (post-9), we need to decide how to sign an image.
> 
> — Jim
> 
> 
>> On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
>> 
>> The code block below checking if a jar file was signed is correct.
>> 
>> There is one thing I don't understand, the --strip-signing-information option. It looks like you will remove the signature-related files if this option is set. But, where are they stripped?
>> 
>> Thanks
>> Max
>> 
>>> On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote:
>>> Apologies for the poor links earlier.
>>> 
>>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>> 
>>> 
>>>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>>>> 
>>>> Revising to
>>>> 
>>>>                  String name = entry.name().toUpperCase(Locale.ENGLISH);
>>>> 
>>>>                  return name.startsWith("META-INF/") && name.indexOf('/', 9) == -1 && (
>>>>                              name.endsWith(".SF") ||
>>>>                              name.endsWith(".DSA") ||
>>>>                              name.endsWith(".RSA") ||
>>>>                              name.endsWith(".EC") ||
>>>>                              name.startsWith("META-INF/SIG-")
>>>>                          );
>>>> 
>>>> 
>>>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>>>>> 
>>>>> Right.  From SignatureFileVerifier.java
>>>>> 
>>>>> 
>>>>> /**
>>>>>  * Utility method used by JarVerifier and JarSigner
>>>>>  * to determine the signature file names and PKCS7 block
>>>>>  * files names that are supported
>>>>>  *
>>>>>  * @param s file name
>>>>>  * @return true if the input file name is a supported
>>>>>  *          Signature File or PKCS7 block file name
>>>>>  */
>>>>> public static boolean isBlockOrSF(String s) {
>>>>>     // we currently only support DSA and RSA PKCS7 blocks
>>>>>     return s.endsWith(".SF")
>>>>>         || s.endsWith(".DSA")
>>>>>         || s.endsWith(".RSA")
>>>>>         || s.endsWith(".EC");
>>>>> }
>>>>> 
>>>>> /**
>>>>>  * Yet another utility method used by JarVerifier and JarSigner
>>>>>  * to determine what files are signature related, which includes
>>>>>  * the MANIFEST, SF files, known signature block files, and other
>>>>>  * unknown signature related files (those starting with SIG- with
>>>>>  * an optional [A-Z0-9]{1,3} extension right inside META-INF).
>>>>>  *
>>>>>  * @param name file name
>>>>>  * @return true if the input file name is signature related
>>>>>  */
>>>>> public static boolean isSigningRelated(String name) {
>>>>>     name = name.toUpperCase(Locale.ENGLISH);
>>>>>     if (!name.startsWith("META-INF/")) {
>>>>>         return false;
>>>>>     }
>>>>>     name = name.substring(9);
>>>>>     if (name.indexOf('/') != -1) {
>>>>>         return false;
>>>>>     }
>>>>>     if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
>>>>>         return true;
>>>>>     } else if (name.startsWith("SIG-")) {
>>>>>         // check filename extension
>>>>>         // see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
>>>>>         // for what filename extensions are legal
>>>>>         int extIndex = name.lastIndexOf('.');
>>>>>         if (extIndex != -1) {
>>>>>             String ext = name.substring(extIndex + 1);
>>>>>             // validate length first
>>>>>             if (ext.length() > 3 || ext.length() < 1) {
>>>>>                 return false;
>>>>>             }
>>>>>             // then check chars, must be in [a-zA-Z0-9] per the jar spec
>>>>>             for (int index = 0; index < ext.length(); index++) {
>>>>>                 char cc = ext.charAt(index);
>>>>>                 // chars are promoted to uppercase so skip lowercase checks
>>>>>                 if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) {
>>>>>                     return false;
>>>>>                 }
>>>>>             }
>>>>>         }
>>>>>         return true; // no extension is OK
>>>>>     }
>>>>>     return false;
>>>>> }
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>>>>>> 
>>>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
>>>>>> 
>>>>>>> Thank you.  Regarding SIG- I was just followed the spec.
>>>>>>> 
>>>>>> I hope Sean or Max can jump in on this, the other question is .EC as I believe the JDK allows this when signing too.
>>>>>> 
>>>>>> -Alan
>>>>> 
>>>> 
>>> 
>

More information about the jigsaw-dev mailing list