RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v17]
Sean Mullan
mullan at openjdk.org
Thu Mar 27 13:40:29 UTC 2025
On Thu, 27 Mar 2025 06:40:02 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Not split warning in rb.getString() accross multi-lines for Usages.java
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1137:
> 1135:
> 1136: private void crossCheckEntries(String jarName) throws Exception {
> 1137: List<String> locEntries = new ArrayList<>();
I think this can be a `HashSet` now that you don't care about the order when checking against the `cenEntries` later.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2016588287
More information about the security-dev
mailing list