RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing [v3]

Weijun Wang weijun at openjdk.org
Thu Jan 2 22:31:37 UTC 2025 

On Thu, 2 Jan 2025 15:30:50 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest (the current behavior should be maintained).
>> 
>> **Note**: We cannot (so far) pass whether the verbose flag is set to the class that does this processing. We may want to add a property to the builder for this. As-is, the message will be printed via `System.err` whether verbose is set or not.
>
> Kevin Driver has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
> 
>  - Merge branch 'master' of https://github.com/openjdk/jdk into 8341775
>    # Please enter a commit message to explain why this merge is necessary,
>    # especially if it merges an updated upstream into a topic branch.
>    #
>    # Lines starting with '#' will be ignored, and an empty message aborts
>    # the commit.
>  - Merge branch 'master' of github.com:openjdk/jdk into 8341775
>    # Please enter a commit message to explain why this merge is necessary,
>    # especially if it merges an updated upstream into a topic branch.
>    #
>    # Lines starting with '#' will be ignored, and an empty message aborts
>    # the commit.
>  - JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest.

What I meant is that besides using `jarsigner` tool to sign a JAR file, users can also use the `JarSigner` API to sign. In this case, I don't think there should be any `System.err` output. You're right that passing the verbose option into builder is awkward. Have you thought about moving the newly added lines into the `jarsigner` tool?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/22222#issuecomment-2568459704

More information about the security-dev mailing list