RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v7]
Hai-May Chao
hchao at openjdk.org
Thu Mar 27 01:55:20 UTC 2025
On Wed, 26 Mar 2025 23:23:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Good idea. Updated the code. Thanks.
>
> Again, shall we return here? Do you want to skip other comparison when the manifests are not the same?
It was suggested that I validate the Manifest and then fast fail if there is an inconsistency. As Manifest contains metadata about the JAR, if it itself is inconsistent, it may indicate a deeper issue with the JAR. I'd think fast failing could save time by avoiding unnecessary checks.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2015364427
More information about the security-dev
mailing list