RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v15]

Eirik Bjorsnos duke at openjdk.org
Tue Jan 24 19:07:04 UTC 2023

On Tue, 24 Jan 2023 18:54:59 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Precisely `ZipFile::isSignatureRelated` should also contain those `SIG-` files. 

Should they though?  These files are ultimately read by JarFile.initializeVerifier, which I guess only cares about signature/block files it actually knows how to verify, currently EC, RSA, DSA?

> The feature is not used so I cannot say if it's wrong.

The JAR File Specification is a bit short on the purpose of these files. I assume they are expected to be verified by code external to the JDK?


PR: https://git.openjdk.org/jdk/pull/11976

More information about the security-dev mailing list