RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v14]
Hai-May Chao
hchao at openjdk.org
Wed Mar 26 22:49:11 UTC 2025
On Wed, 26 Mar 2025 14:41:08 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Updated with Sean's comments
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1170:
>
>> 1168: entryName));
>> 1169: } else {
>> 1170: readEntry(cenInputStream);
>
> This could throw a `SecurityException` if the content does not match the digest. Although we have verified the JAR file with`JarFile`, things could be different when opened with a `JarInputStream`.
Added try-catch block.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015092673
More information about the security-dev
mailing list