RFR - 8132734: java.util.jar.* changes to support multi-release jar files

Steve Drach steve.drach at oracle.com
Wed Sep 30 18:30:40 UTC 2015


Hi Max,

> Can you describe if there is any effect on signed jars? Including:
> 
> 1. Will jarsigner be able to sign such a jar?

The jarsigner from 1.8.0_51 can sign the jar.  The jarsigner from jdk9/dev can not, giving me the error

jarsigner: unable to sign jar: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I’m unsure what that means, and searching for it has not turned up anything useful except that it might be limited to Mac OS/X.  If anyone can help me here, I’d appreciate it.

> Are all items inside signed?

Yes, according to the manifest and the .sf file

> If you sign a jar using jarsigner from different versions of JDK, will there be any difference?

Not sure yet due to the previously mentioned error I get with JDK 9 jarsigner

> 
> 2. Will jarsigner be able to verify such a jar?

Yes.  Both the JDK 8 and JDK 9 jarsigners can verify the file originally signed by JDK 8 jarsigner

> Will it only verify entries for the current version or all?

It should be all, but of course that depends on how jarsigner accesses the JarFile entries.  If it just opens the JarFile and uses the Enumeration returned by JarFile.entries() or the stream returned by JarFile.stream() then it will see all entries including all versions of entries.  

As a simple test, I modified a versioned entry and then ran both the JDK 8 and JDK 9 jarsigners to verify the jar file.  The modified entry was caught (i.e. verification failed) 


> Will jarsigner from an old JDK verify the new jar?

I can’t sign the jar with the JDK 9 jar signer, so I can’t answer that yet.

> 
> 3. As I know, JarFile has 2 ways to verify a jar file, one using public APIs. One through SharedSecrets.setJavaUtilJarAccess() which can call more methods. Have you confirmed both work?

I’ve only verified it with the jarsigner tool.  Without looking at the code, I suspect the tool uses the public API’s, so I’ll need to come up with something that uses the SharedSecrets API.  I will do that.

> 
> Yes, I'd also like some tests on these.

Sure.



More information about the security-dev mailing list