[9] request for review 8047353: Improve error message when a JAR with invalid signatures is loaded

Aaron Digulla digulla at hepe.com
Fri Jun 20 10:00:01 UTC 2014

Am Donnerstag, 19. Juni 2014 23:49 CEST, Joe Darcy <joe.darcy at oracle.com> schrieb: 
> I'd prefer to see the CheckJarSigError.sh as a Java program.

There original bug report contains a full self-contained test case in Java. Why was that split into several files?

I'm also a bit uneasy about the "just show the file name". I have thousands of JARs with the same name on my harddisk (several Maven repos, target folders, you name it). If you strip the path from the error message, then I have to somehow figure out the classpath which was used.

That might work when I run Java from the command line but when I use complex frameworks like OSGi or Maven which do all kinds of magic to determine which JARs they might want to load, then this doesn't help much.

At least add a command line option / system property which allows to see the full path.

Aaron "Optimizer" Digulla a.k.a. Philmann Dark
"It's not the universe that's limited, it's our imagination.
Follow me and I'll show you something beyond the limits." 

More information about the security-dev mailing list