RFR: 8341775: Duplicate manifest files are removed by jarsigner after signing [v7]
Kevin Driver
kdriver at openjdk.org
Mon Mar 10 21:21:55 UTC 2025
On Mon, 10 Mar 2025 17:01:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Kevin Driver has updated the pull request incrementally with three additional commits since the last revision:
>>
>> - force-add jar
>> - re-write to make the changes in the jarsigner tool itself, rather than the API
>> - Revert "JDK-8341775: In the case where there is a *single* META-INF directory but potentially *multiple* manifest files of different cases, print a warning before selecting the first one and ignoring the rest."
>>
>> This reverts commit 06e90503f3e75b1b432ec0a196716f01ebb7344a.
>>
>> # Please enter the commit message for your changes. Lines starting
>> # with '#' will be kept; you may remove them yourself if you want to.
>> # An empty message aborts the commit.
>> #
>> # On branch 8341775
>> # Your branch is up to date with 'origin/8341775'.
>> #
>> # Changes to be committed:
>> # modified: src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
>> #
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1986:
>
>> 1984: if(manifestNum > 1) {
>> 1985: System.out.println();
>> 1986: System.out.println(rb.getString("Warning."));
>
> Typically, we don’t print a warning immediately when a problem is detected. Instead, we log a flag and display the warnings later in the `displayMessagesAndResult` method. If a warning is printed too early, and there are a lot of additional lines after it (For example, with `-verbose` enabled and many entries), the warning may be overlooked.
I see. I noted the `error` method but somehow I missed that warnings are collected and displayed via `displayMessagesAndResult`. I was planning to show the message as it happens, since that is what we do with the `error` method calls. This isn't exactly an "error," but I didn't see a `warn` (or similar) method.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22222#discussion_r1988037614
More information about the security-dev
mailing list