RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing [v7]
Kevin Driver
kdriver at openjdk.org
Mon Mar 10 21:13:59 UTC 2025
On Mon, 10 Mar 2025 17:08:42 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Kevin Driver has updated the pull request incrementally with three additional commits since the last revision:
>>
>> - force-add jar
>> - re-write to make the changes in the jarsigner tool itself, rather than the API
>> - Revert "JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest."
>>
>> This reverts commit 06e90503f3e75b1b432ec0a196716f01ebb7344a.
>>
>> # Please enter the commit message for your changes. Lines starting
>> # with '#' will be kept; you may remove them yourself if you want to.
>> # An empty message aborts the commit.
>> #
>> # On branch 8341775
>> # Your branch is up to date with 'origin/8341775'.
>> #
>> # Changes to be committed:
>> # modified: src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
>> #
>
> test/jdk/sun/security/tools/jarsigner/MultiManifest.jar line 1:
>
>> 1: PK������O�rY �META-INF/���PK���PK������O�rY�META-INF/MANIFEST.MF�M��LK-.�
>
> We usually do not include a binary file in the code repository. Can you generate one on the fly? Although JDK’s `ZipOutputStream` does not allow duplicate entries, you can add two entries whose names differ only by case. IIRC, when counting the number of manifests using `JUZFA.getManifestNum`, the check is case-insensitive.
I made sure that there were other jars in this directory in the source tree before trying this approach. In fact, there are a few tests taking this same approach. The jar is < 1/2 KB.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22222#discussion_r1988030196
More information about the security-dev
mailing list