RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing
Kevin Driver
kdriver at openjdk.org
Thu Nov 21 19:49:17 UTC 2024
On Thu, 21 Nov 2024 15:53:28 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> I’d like to suggest creating a test program (for better long term support) that generates a JAR file with multiple manifest entries and then uses JarSigner.Builder() and JarSigner.sign(). The JarSigner.sign() will ultimately invoke getManifestFile(), ensuring that the new warning about multiple manifest entries is emitted.
Dynamically creating the needed jar files to perform a test would depend on the file-system of the platform (ie - macOS cannot create two different files with the same name but different cases). Furthermore, we cannot create a jar with two different META-INF directories at the root, both with two different all-caps MANIFEST.MF files dynamically. Unless I am mistaken.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22222#issuecomment-2492120593
More information about the security-dev
mailing list