RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v13]

Sean Mullan mullan at openjdk.org
Tue Mar 25 20:45:10 UTC 2025 

On Fri, 21 Mar 2025 19:23:59 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update test with more ZipEntry in the jar

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1241:

> 1239:         boolean locHasSigners = locSigners != null;
> 1240: 
> 1241:         if (cenHasSigners && locHasSigners) {

So, it's ok if one entry has code signers but the other doesn't?

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1245:

> 1243:             List<CodeSigner> locSignerList = Arrays.asList(locSigners);
> 1244: 
> 1245:             if (!cenSignerList.equals(locSignerList)) {

I think you can just call `Arrays.equals()` here.

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1247:

> 1245:             if (!cenSignerList.equals(locSignerList)) {
> 1246:                 crossChkWarnings.add(String.format(rb.getString(
> 1247:                         "signature.mismatch.for.entry.1.when.comparing.jarfile.and.jarinputstream"),

"Signature mismatch" is not accurate in my opinion. This is really just about the code signers. Can we change this warning to "Code signers are different for entry %s when reading from JarFile and JarInputStream".

I like the words "reading from" instead of "comparing" as it seems to better describe what the JarFile and JarInputStream APIs for and how to diagnose the issue.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012894677
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012897366
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012904886

More information about the security-dev mailing list