RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC
Alan Bateman
alanb at openjdk.org
Tue Mar 4 08:56:54 UTC 2025
On Sun, 9 Feb 2025 05:02:07 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
I think we need to stand back from all this validation and consider what validation/checking should be done by jar tool vs. jarsigner tool. I think there is a strong argument to expand what `jar --validate` does (or add a new option) so that the jar tool can do the integrity checks that include the checks to ensure that the CEN and LOC entries are consistent. The `jarsigner -verify` option could augment that with focus on the signing rather than on ZIP or JAR file integrity issues.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23532#issuecomment-2696686476
More information about the security-dev
mailing list