RFR - 8132734: java.util.jar.* changes to support multi-release jar files

Steve Drach steve.drach at oracle.com
Wed Sep 30 23:53:22 UTC 2015 

Hi Max,

Here are updated answers to your questions, after I received some help (thank you Sean Mullan).

> Can you describe if there is any effect on signed jars? Including:
> 
> 1. Will jarsigner be able to sign such a jar?

The jarsigner from 1.8.0_51 can sign the jar.  The jarsigner from jdk9/dev can also sign the jar.

> Are all items inside signed?

Yes, according to the manifest and the .sf file

> If you sign a jar using jarsigner from different versions of JDK, will there be any difference?

Yes, there is unfortunately.  This is what I found out:
- JDK 8 jar signer does not work with a JDK 9 created keystore
- JDK 8 signed jar with JDK 8 created keystore is not the same size as JDK 9 signed jar with JDK 9 keystore
- JDK 8 signed jar with JDK 8 created keystore is not the same size as JDK 9 signed jar with the same JDK 8 keystore

I am not sure what factors are in play here, but something certainly depends on what version of keytool is used to create the keystone.  The last fact above seems to imply the answer to your question is yes, there is a difference as measured by jar file size.  The META-INF/ALIAS.SF and META-INF/ALIAS.DSA files are different sizes in each jar file.

If somebody has an idea on how to analyze this, please let me know.  I’m a bit clueless at the moment.

> 
> 2. Will jarsigner be able to verify such a jar?

Yes.  Both the JDK 8 and JDK 9 jarsigners can verify both the signed files, one from JDK 8 and one from JDK 9

> Will it only verify entries for the current version or all?

It should be all, but of course that depends on how jarsigner accesses the JarFile entries.  If it just opens the JarFile and uses the Enumeration returned by JarFile.entries() or the stream returned by JarFile.stream() then it will see all entries including all versions of entries.  

As a simple test, I modified a versioned entry and then ran both the JDK 8 and JDK 9 jarsigners to verify the jar file.  The modified entry was caught (i.e. verification failed) 


> Will jarsigner from an old JDK verify the new jar?

Yes, see answer to question 2.

> 
> 3. As I know, JarFile has 2 ways to verify a jar file, one using public APIs. One through SharedSecrets.setJavaUtilJarAccess() which can call more methods. Have you confirmed both work?

I’ve only verified it with the jarsigner tool.  Without looking at the code, I suspect the tool uses the public API’s, so I’ll need to come up with something that uses the SharedSecrets API.  I will do that.

> 
> Yes, I'd also like some tests on these.

Sure.

More information about the security-dev mailing list