RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing [v7]

Weijun Wang weijun at openjdk.org
Mon Mar 10 17:04:04 UTC 2025 

On Mon, 10 Mar 2025 15:59:23 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest (the current behavior should be maintained).
>> 
>> **Note**: We cannot (so far) pass whether the verbose flag is set to the class that does this processing. We may want to add a property to the builder for this. As-is, the message will be printed via `System.err` whether verbose is set or not.
>
> Kevin Driver has updated the pull request incrementally with three additional commits since the last revision:
> 
>  - force-add jar
>  - re-write to make the changes in the jarsigner tool itself, rather than the API
>  - Revert "JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest."
>    
>    This reverts commit 06e90503f3e75b1b432ec0a196716f01ebb7344a.
>    
>    # Please enter the commit message for your changes. Lines starting
>    # with '#' will be kept; you may remove them yourself if you want to.
>    # An empty message aborts the commit.
>    #
>    # On branch 8341775
>    # Your branch is up to date with 'origin/8341775'.
>    #
>    # Changes to be committed:
>    #	modified:   src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
>    #

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1986:

> 1984:             if(manifestNum > 1) {
> 1985:                 System.out.println();
> 1986:                 System.out.println(rb.getString("Warning."));

Typically, we don’t print a warning immediately when a problem is detected. Instead, we log a flag and display the warnings later in the `displayMessagesAndResult` method. If a warning is printed too early, and there are a lot of additional lines after it (For example, with `-verbose` enabled and many entries), the warning may be overlooked.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22222#discussion_r1987694092

More information about the security-dev mailing list