RFR 8022761: SQE test regression on wrongly signed indexed jar file
Weijun Wang
weijun.wang at oracle.com
Mon Aug 19 13:11:18 UTC 2013
Hi Sherman
I try out "jar i" after signing and it puts INDEX.LIST at the very
beginning of the file. Does this mean INDEX.LIST was actually an
exception? Or it's just a bug?
Anyway, I think I should update the fix for 8021788 and here is the webrev:
http://cr.openjdk.java.net/~weijun/8022761/webrev.00/
Now it also skips INDEX.LIST, i.e. update line 142 to
if (uname.equals(JarFile.MANIFEST_NAME) ||
uname.equals(JarIndex.INDEX_NAME) ) {
After this change, if INDEX.LIST appears before the MANIFEST and
signature-related files, it will not be treated as signed. This should
usually be true because it only happens when you call "jar i" after
signing a jar which means INDEX.LIST *is* unsigned.
Thanks
Max
On 8/12/13 12:18 PM, Weijun Wang wrote:
> Hi Sherman
>
> SQE observes a regression in their test suite and
> the reason is my recent fix for 8021788 at
>
> http://hg.openjdk.java.net/jdk8/tl/jdk/rev/758e3117899c
>
> The jar file mentioned contains
>
> 66 Mon Jun 04 15:42:18 CST 2007 META-INF/INDEX.LIST
> 323 Sat Apr 01 15:47:28 CST 2000 META-INF/MANIFEST.MF
> 376 Mon Jun 04 15:41:00 CST 2007 META-INF/MYKEY.SF
> 972 Sat Apr 01 15:47:38 CST 2000 META-INF/MYKEY.DSA
> 0 Sat Apr 01 15:46:58 CST 2000 META-INF/
> 0 Sat Apr 01 15:45:16 CST 2000 test/
> 21 Sat Apr 01 15:46:24 CST 2000 test/test0
> 21 Sat Apr 01 15:46:18 CST 2000 test/test1
> 21 Sat Apr 01 15:46:04 CST 2000 test/test2
> 21 Sat Apr 01 15:46:10 CST 2000 test/test3
>
> After JDK-8021788, the file is regarded as an unsigned jar because the
> updated JarVerifier goes thru all signature-related files and treats all
> others not. Here the first one is not signature-related so none is.
>
> Is fix for JDK-8021788 wrong? Inside JarVerifier.java, we have
>
> * Assumptions:
> * 1. The manifest should be the first entry in the META-INF directory.
> * 2. The .SF/.DSA/.EC files follow the manifest, before any normal
> entries
>
> Is this INDEX.LIST an exception?
>
> Thanks
> Max
More information about the security-dev
mailing list