RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v3]
Hai-May Chao
hchao at openjdk.org
Tue Jul 30 21:51:33 UTC 2024
On Tue, 30 Jul 2024 15:10:50 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> There is an error in `jarsigner` on the "This JAR contains signed entries that aren't signed by alias in this keystore" warning. The exit code is determined by [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L344) but the warning message is controlled by [`allAliasesFound`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L1183).
>>
>> Also, inside the `inKeyStoreForOneSigner()` method, all certificates in a cert chain are used to determine whether the signer is in a keystore and if any is inside the JAR file is treated as being signed by an alias in this keystore. In fact, only the end-entity certificate (the first one in the chain) should be checked.
>>
>> After the fix, the `allAliasesFound` field and the `SOME_ALIASES_NOT_FOUND` constant are useless and can be removed.
>>
>> *Update*: this warning is reclassified as an informational warning in the latest commits.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> ensure aliasNotInStore is not severe
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1759:
> 1757: // must continue with next certificate c and cannot
> 1758: // return or break outer loop because has to fill
> 1759: // storeHash for printCer
Nits: s/printCer/printCert
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/19701#discussion_r1697612208
More information about the security-dev
mailing list