RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v2]

Eirik Bjorsnos duke at openjdk.org
Sat Jan 14 13:21:43 UTC 2023


On Fri, 13 Jan 2023 22:36:47 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Eirik Bjorsnos has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains six additional commits since the last revision:
>> 
>>  - Check that non-signature related .SF, .RSA files are treated as regular (non signature related) files during signing
>>  - Merge branch 'master' into signature-related-subdirs
>>  - Simplify comment by removing a negative and changing "these paths" to "this path"
>>  - Use @modules tags instead of explicit --add-exports args
>>  - Merge branch 'master' into signature-related-subdirs
>>  - Files residing in subdirectories of META-INF/ should not be treated as signature related
>
> test/jdk/java/util/jar/JarFile/VerifyUnrelatedSignatureFiles.java line 61:
> 
>> 59:         File j = createJarFile();
>> 60:         File s = signJarFile(j, "signed");
>> 61:         File m = moveSignatureRelated(s);
> 
> Try sign it again to a different file. Let's see if the moved files are also signed.

Nice, I added a check which verifies that a JAR containing non signature related files is signed as expected

-------------

PR: https://git.openjdk.org/jdk/pull/11976


More information about the security-dev mailing list