Fwd: CR 7004035 Updated, P4 java/classes_secu signed jar with only META-INF/* inside is not verifiable

Sean Mullan sean.mullan at oracle.com
Fri Dec 3 07:36:14 PST 2010


On 12/3/10 4:35 AM, Weijun Wang wrote:
> Hi Sean
>
> Please review my code changes:
>
> http://cr.openjdk.java.net/~weijun/7004035/webrev.00/
>
> After this change, MANIFEST.MF's getSigners() and getCertificates() will be not
> null. Since every signer of the jar file has a hash of the manifest header, I
> regard all of them as signers of MANIFEST.MF.
>
> The code changes also include a small change to JarSigner:
>
> When -verbose:grouped is specified, jar entries with similar characters are
> grouped together. However, I still don't want to group a .SF (or .RSA) file and
> a normal unsigned entry (say, a class file added after jar signed) together.
> Thus I substitute the first letter of the label with "-" to distinguish between
> signature-related entries and the others. Now that MANIFEST can also be signed,
> its first letter is "s". Therefore I simply prefix the "-" before the label.
>
> concisejarsigner.sh test is also updated, since the number of signed files is
> changed.

Looks good.

--Sean



More information about the security-dev mailing list