RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing [v7]
Weijun Wang
weijun at openjdk.org
Mon Mar 10 17:11:04 UTC 2025
On Mon, 10 Mar 2025 15:59:23 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest (the current behavior should be maintained).
>>
>> **Note**: We cannot (so far) pass whether the verbose flag is set to the class that does this processing. We may want to add a property to the builder for this. As-is, the message will be printed via `System.err` whether verbose is set or not.
>
> Kevin Driver has updated the pull request incrementally with three additional commits since the last revision:
>
> - force-add jar
> - re-write to make the changes in the jarsigner tool itself, rather than the API
> - Revert "JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest."
>
> This reverts commit 06e90503f3e75b1b432ec0a196716f01ebb7344a.
>
> # Please enter the commit message for your changes. Lines starting
> # with '#' will be kept; you may remove them yourself if you want to.
> # An empty message aborts the commit.
> #
> # On branch 8341775
> # Your branch is up to date with 'origin/8341775'.
> #
> # Changes to be committed:
> # modified: src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
> #
test/jdk/sun/security/tools/jarsigner/MultiManifest.jar line 1:
> 1: PK������O�rY �META-INF/���PK���PK������O�rY�META-INF/MANIFEST.MF�M��LK-.�
We usually do not include a binary file in the code repository. Can you generate one on the fly? Although JDK’s `ZipOutputStream` does not allow duplicate entries, you can add two entries whose names differ only by case. IIRC, when counting the number of manifests using `JUZFA.getManifestNum`, the check is case-insensitive.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22222#discussion_r1987704612
More information about the security-dev
mailing list