RFR JDK-8179614: Test for jarsigner on verifying jars that are signed and timestamped by other JDK releases

Sean Mullan sean.mullan at oracle.com
Wed Jun 7 15:11:28 UTC 2017

On 6/6/17 9:14 PM, sha.jiang at oracle.com wrote:
> Hi Sean,
> On 07/06/2017 04:27, Sean Mullan wrote:
>> Hi John,
>> This looks like a very useful test. I have not gone through all of the 
>> code, but here are a few comments for now until I have more time:
>> - add tests for EC keys
>> - add tests for SHA-512 variants of the signature algorithms
>> - add tests for larger key sizes (ex: 2048 for DSA/RSA)
>> - you can use the diamond operator <> in various places
>> - might be more compact if jdkList() used Files.lines() to parse the 
>> file into a stream then an array
> I did consider about the above two points. Because the test will be 
> backported to JDK 6, so I only used the features those supported by JDK 6.
> I supposed that would make the backport easier. Does it make sense?

Yes, that makes sense.


> Best regards,
> John Jiang
>> - did you consider using the jarsigner API (jdk.security.jarsigner) 
>> instead of the command-line? I think this would be better (if 
>> possible) and it would give us some more tests of that API.
>> --Sean
>> On 6/5/17 6:31 AM, sha.jiang at oracle.com wrote:
>>> Hi,
>>> Please review this manual test for checking if a jar, which is signed 
>>> and timestamped by a JDK build, could be verified by other JDK builds.
>>> It also can be used to check if the default timestamp digest 
>>> algorithm on signing is SHA-256.
>>> For more details, please look through the test summary.
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8179614
>>> Webrev: http://cr.openjdk.java.net/~jjiang/8179614/webrev.00/
>>> Best regards,
>>> John Jiang

More information about the security-dev mailing list