RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v15]

Weijun Wang weijun at openjdk.org
Thu Mar 27 00:02:12 UTC 2025 

On Wed, 26 Mar 2025 22:40:37 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update with comments from Sean and Weijun

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1215:

> 1213:             if (!cenEntries2.equals(locEntries)) {
> 1214:                 crossChkWarnings.add(rb.getString(
> 1215:                         "entries.mismatch.when.comparing.jarfile.and.jarinputstream"));

Do we still need this warning? The meaning is not clear to me. Since we have already compared in both ways, does this only mean the orders are different?

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 219:

> 217: entry.1.present.in.jarfile.but.unreadable=Entry %s is present in JarFile but unreadable
> 218: codesigners.different.for.entry.1.when.reading.jarfile.and.jarinputstream=Code signers are different for entry %s when reading from JarFile and JarInputStream
> 219: entry.1.has.codesigners.in.jarfile.but.not.in.jarinputstream=Entry %s has codesigners in JarFile but not in JarInputStream

Usually we don't say "has codesigners" or "has no codesigners", we say "is signed" and "is not signed". Same for the next one.

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 222:

> 220: entry.1.has.codesigners.in.jarinputstream.but.not.in.jarfile=Entry %s has codesigners in JarInputStream but not in JarFile
> 221: entries.mismatch.when.comparing.jarfile.and.jarinputstream=Entries mismatch when comparing JarFile and JarInputStream
> 222: jar.contains.internal.inconsistencies.may.result.in.different.contents.when.reading.via.jarfile.and.jarinputstream=This JAR file contains internal inconsistencies that may result in different contents when reading via JarFile and JarInputStream

Do you think it makes sense to add a ":" at the end of this header line?

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 224:

> 222: jar.contains.internal.inconsistencies.may.result.in.different.contents.when.reading.via.jarfile.and.jarinputstream=This JAR file contains internal inconsistencies that may result in different contents when reading via JarFile and JarInputStream
> 223: signature.verification.failed.on.entry.1.when.reading.via.jarinputstream=Signature verification failed on entry %s when reading via JarInputStream
> 224: signature.verification.failed.on.entry.1.when.reading.via.jarfile.inputstream=Signature verification failed on entry %s when reading via JarFile InputStream

I don't think you need to mention `InputStream` for the "JarFile" case.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015126222
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015128336
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015128728
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015129415

More information about the security-dev mailing list