RFR: 8365559: jarsigner shows files non-existent if signed with a weak algorithm [v2]

Weijun Wang weijun at openjdk.org
Fri Aug 15 20:59:11 UTC 2025


On Fri, 15 Aug 2025 19:59:58 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:

>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   add comment to test
>
> test/jdk/sun/security/tools/jarsigner/RemovedFiles.java line 44:
> 
>> 42:             = "This jar contains signed entries for files that do not exist. See the -verbose output for more details.";
>> 43:     private static final String WEAK_UNSIGNED
>> 44:             = "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled";
> 
> I know the existing test doesn't do this, but would it make sense to read the `resources/jarsigner.properties` files to get these messages instead of hard-coding them here?  Seems that if anyone were to change the messages down the road, they'll likely find out during test.
> 
> Otherwise, change looks good to me.

That's possible, but it would require users to cross-reference the properties file to find out the actual text. Also, the keys in the properties file are quite inconsistent now. Older ones are always the English message with non-alphanumeric characters replaced by dots, and newer ones may be of shorter title-style.

Yes, if the message is updated, test will need to be updated as well.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26781#discussion_r2279875306


More information about the security-dev mailing list