RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v14]
Weijun Wang
weijun at openjdk.org
Wed Mar 26 14:44:11 UTC 2025
On Wed, 26 Mar 2025 02:33:02 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Updated with Sean's comments
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1170:
> 1168: entryName));
> 1169: } else {
> 1170: readEntry(cenInputStream);
This could throw a `SecurityException` if the content does not match the digest. Although we have verified the JAR file with`JarFile`, things could be different when opened with a `JarInputStream`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2014335558
More information about the security-dev
mailing list