RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v21]
Weijun Wang
weijun at openjdk.org
Fri Mar 28 13:42:24 UTC 2025
On Thu, 27 Mar 2025 21:29:05 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading from JarFile to navigate the central directory (CEN) headers. It is now enhanced to include cross-validation of entries between JarFile (CEN-based) and JarInputStream (stream-based) representations of the JAR. It emits earnings when detecting discrepancies between a JAR file’s central directory and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Fix typo
Final comments:
1. The warning message "Manifest attribute %s is present..." is not 100% precise, should be "Manifest main attribute %s is present...".
2. The manifest does not need to be at the first position when reading as a `JarFile` (especially we are not comparing the order now), so suggest changing the last lines in `crossCheckEntries` to
jarFile.stream()
.map(JarEntry::getName)
.filter(n -> !locEntries.contains(n) && !n.equals(JarFile.MANIFEST_NAME))
.forEach(n -> crossChkWarnings.add(String.format(rb.getString(
"entry.1.present.when.reading.jarfile.but.missing.via.jarinputstream"), n)));
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23532#issuecomment-2761397907
More information about the security-dev
mailing list