A 8021788 regression? 8022761: SQE test regression on wrongly signed indexed jar file

Weijun Wang weijun.wang at oracle.com
Mon Aug 12 04:18:02 UTC 2013


Hi Sherman

SQE observes a regression in their test suite and
the reason is my recent fix for 8021788 at

   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/758e3117899c

The jar file mentioned contains

     66 Mon Jun 04 15:42:18 CST 2007 META-INF/INDEX.LIST
    323 Sat Apr 01 15:47:28 CST 2000 META-INF/MANIFEST.MF
    376 Mon Jun 04 15:41:00 CST 2007 META-INF/MYKEY.SF
    972 Sat Apr 01 15:47:38 CST 2000 META-INF/MYKEY.DSA
      0 Sat Apr 01 15:46:58 CST 2000 META-INF/
      0 Sat Apr 01 15:45:16 CST 2000 test/
     21 Sat Apr 01 15:46:24 CST 2000 test/test0
     21 Sat Apr 01 15:46:18 CST 2000 test/test1
     21 Sat Apr 01 15:46:04 CST 2000 test/test2
     21 Sat Apr 01 15:46:10 CST 2000 test/test3

After JDK-8021788, the file is regarded as an unsigned jar because the 
updated JarVerifier goes thru all signature-related files and treats all 
others not. Here the first one is not signature-related so none is.

Is fix for JDK-8021788 wrong? Inside JarVerifier.java, we have

   * Assumptions:
   * 1. The manifest should be the first entry in the META-INF directory.
   * 2. The .SF/.DSA/.EC files follow the manifest, before any normal 
entries

Is this INDEX.LIST an exception?

Thanks
Max



More information about the security-dev mailing list