A 8021788 regression? 8022761: SQE test regression on wrongly signed indexed jar file
Weijun Wang
weijun.wang at oracle.com
Mon Aug 12 04:18:02 UTC 2013
Hi Sherman
SQE observes a regression in their test suite and
the reason is my recent fix for 8021788 at
http://hg.openjdk.java.net/jdk8/tl/jdk/rev/758e3117899c
The jar file mentioned contains
66 Mon Jun 04 15:42:18 CST 2007 META-INF/INDEX.LIST
323 Sat Apr 01 15:47:28 CST 2000 META-INF/MANIFEST.MF
376 Mon Jun 04 15:41:00 CST 2007 META-INF/MYKEY.SF
972 Sat Apr 01 15:47:38 CST 2000 META-INF/MYKEY.DSA
0 Sat Apr 01 15:46:58 CST 2000 META-INF/
0 Sat Apr 01 15:45:16 CST 2000 test/
21 Sat Apr 01 15:46:24 CST 2000 test/test0
21 Sat Apr 01 15:46:18 CST 2000 test/test1
21 Sat Apr 01 15:46:04 CST 2000 test/test2
21 Sat Apr 01 15:46:10 CST 2000 test/test3
After JDK-8021788, the file is regarded as an unsigned jar because the
updated JarVerifier goes thru all signature-related files and treats all
others not. Here the first one is not signature-related so none is.
Is fix for JDK-8021788 wrong? Inside JarVerifier.java, we have
* Assumptions:
* 1. The manifest should be the first entry in the META-INF directory.
* 2. The .SF/.DSA/.EC files follow the manifest, before any normal
entries
Is this INDEX.LIST an exception?
Thanks
Max
More information about the security-dev
mailing list