RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v13]
Sean Mullan
mullan at openjdk.org
Tue Mar 25 20:09:09 UTC 2025
On Fri, 21 Mar 2025 19:23:59 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Update test with more ZipEntry in the jar
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 214:
> 212: manifest.attribute.1.present.when.reading.jarfile.but.missing.via.jarinputstream=Manifest attribute %s is present when reading via JarFile but missing when reading via JarInputStream
> 213: manifest.attribute.1.present.when.reading.jarinputstream.but.missing.via.jarfile=Manifest attribute %s is present when reading via JarInputStream but missing when reading via JarFile
> 214: manifest.atrribute.1.differs.jarfile.value.2.jarinputstream.value.3=Manifest attribute %1$s differs: JarFile value = %2$s, JarInputStream value = %3$s
Typo: s/atrribute/attribute/
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012857942
More information about the security-dev
mailing list