RFR: 8309841: Jarsigner should print a warning if an entry is removed [v5]
Sean Mullan
mullan at openjdk.org
Fri Sep 27 13:52:39 UTC 2024
On Thu, 19 Sep 2024 12:06:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> There ~are two~ is one change~s~:
>>
>> 1. In `jarsigner -verify`, check a .SF file contains un-existing entries and print them out as
>>
>> Warning: nonexistent signed entries detected: [a]
>>
>> ~2. In `JarSigner::sign0`, when creating a new .SF file, only include signed file entries.~
>>
>> *Update*: Even when the JAR file is re-signed, the hash entry for the missing file will be in the new .SF file. There is no way to tell if this is for a file entry or a user-defined entry.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> expected result should be the 1st argument
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java line 182:
> 180: {"key.bit.eccurve.disabled", "%1$d-bit %2$s key (disabled)"},
> 181: {"unknown.size", "unknown size"},
> 182: {"nonexistent.entries.found", "Nonexistent signed entries detected. See details in -verbose output."},
For the second sentence, in other warning messages, we say "Re-run jarsigner with the -verbose option for more details." Perhaps we should be consistent?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/19599#discussion_r1778664509
More information about the security-dev
mailing list