RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v15]
Eirik Bjorsnos
duke at openjdk.org
Tue Jan 24 19:07:04 UTC 2023
On Tue, 24 Jan 2023 18:54:59 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Precisely `ZipFile::isSignatureRelated` should also contain those `SIG-` files.
Should they though? These files are ultimately read by JarFile.initializeVerifier, which I guess only cares about signature/block files it actually knows how to verify, currently EC, RSA, DSA?
> The feature is not used so I cannot say if it's wrong.
The JAR File Specification is a bit short on the purpose of these files. I assume they are expected to be verified by code external to the JDK?
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list