RFR: 8365559: jarsigner shows files non-existent if signed with a weak algorithm [v2]

Bradford Wetmore wetmore at openjdk.org
Fri Aug 15 20:03:13 UTC 2025


On Fri, 15 Aug 2025 00:35:27 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> See the bug report for details. Basically, entries in the SF set should always be removed no matter if it's treated signed or not.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   add comment to test

Marked as reviewed by wetmore (Reviewer).

test/jdk/sun/security/tools/jarsigner/RemovedFiles.java line 44:

> 42:             = "This jar contains signed entries for files that do not exist. See the -verbose output for more details.";
> 43:     private static final String WEAK_UNSIGNED
> 44:             = "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled";

I know the existing test doesn't do this, but would it make sense to read the `resources/jarsigner.properties` files to get these messages instead of hard-coding them here?  Seems that if anyone were to change the messages down the road, they'll likely find out during test.

Otherwise, change looks good to me.

-------------

PR Review: https://git.openjdk.org/jdk/pull/26781#pullrequestreview-3124986035
PR Review Comment: https://git.openjdk.org/jdk/pull/26781#discussion_r2279788205


More information about the security-dev mailing list