RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC
Hai-May Chao
hchao at openjdk.org
Thu Mar 13 02:54:51 UTC 2025
On Tue, 4 Mar 2025 08:54:06 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> I think we need to stand back from all this validation and consider what validation/checking should be done by jar tool vs. jarsigner tool. I think there is a strong argument to expand what `jar --validate` does (or add a new option) so that the jar tool can do the integrity checks that include the checks to ensure that the CEN and LOC entries are consistent. The `jarsigner -verify` option could augment that with focus on the signing rather than on ZIP or JAR file integrity issues.
@AlanBateman Thanks for the comment. As we had internal discussion, we decided to add a small set of integrity checks to jarsigner. The webrev was updated as needed.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23532#issuecomment-2719689109
More information about the security-dev
mailing list