<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.E-MailFormatvorlage17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE-CH link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Our webstart app is also killed by this issue.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Tested with:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Java u141 b15 (FAIL)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Java u141 b32 (FAIL)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Java u131 b11 (OK)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Reto<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=DE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span lang=DE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> security-dev [mailto:security-dev-bounces@openjdk.java.net] <b>Im Auftrag von </b>Bernd<br><b>Gesendet:</b> Mittwoch, 19. Juli 2017 14:01<br><b>An:</b> security-dev@openjdk.java.net<br><b>Betreff:</b> jar verification regression Oracle 8u141<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><div><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Hello,<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:<br><br>com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: <a href="http://localhost:10000/seeburger/app/commons-httpclient.jar">http://localhost:10000/seeburger/app/commons-httpclient.jar</a><br>    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)<br>    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)<br>    at java.security.AccessController.doPrivileged(Native Method)<br>    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)<br>    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)<br>    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)<br>    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)<br>    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)<br>    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)<br>    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)<br>    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)<br>    at java.util.concurrent.FutureTask.run(FutureTask.java:266)<br>    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<br>    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<br>    at java.lang.Thread.run(Thread.java:748)<br><br>java.lang.SecurityException: digest missing for org/apache/commons/httpclient<br>    at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)<br>    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)<br>    at java.util.jar.JarVerifier.update(JarVerifier.java:211)<br>    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)<br>    at java.util.jar.JarFile.getInputStream(JarFile.java:464)<br>    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)<br>    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)<br><br><o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131.<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>We signed that file ourself and I am not sure when the broken entry is generated, it looks like:<br><br>Manifest-Version: 1.0<br>Ant-Version: Apache Ant 1.6.5<br>Built-By: oleg<br>Maven-Version: 1.1<br>Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)<br><br>Name: org/apache/commons/httpclient/Header.class<br>SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=<br>...<br>Name: org/apache/commons/httpclient/methods/multipart/PartSource.class<br>SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=<br><br>Name: org/apache/commons/httpclient<br>Implementation-Title: org.apache.commons.httpclient<br>Implementation-Version: 3.1<br>X-Compile-Target-JDK: 1.2<br>Specification-Vendor: Apache Software Foundation<br>Specification-Title: Jakarta Commons HttpClient<br>Implementation-Vendor-Id: org.apache<br>Extension-name: org.apache.commons.httpclient<br>X-Compile-Source-JDK: 1.2<br>Specification-Version: 3.1<br>Implementation-Vendor: Apache Software Foundation<br><br>Name: org/apache/commons/httpclient/methods/multipart/FilePart.class<br>SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=<br>...<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>This structure is created by JAR signer becaue the original apache artifact manifest looks like this:<br><br>Manifest-Version: 1.0<br>Ant-Version: Apache Ant 1.6.5<br>Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)<br>Built-By: oleg<br>Maven-Version: 1.1<br><br>Name: org/apache/commons/httpclient<br>Extension-name: org.apache.commons.httpclient<br>Specification-Title: Jakarta Commons HttpClient<br>Specification-Vendor: Apache Software Foundation<br>Specification-Version: 3.1<br>Implementation-Title: org.apache.commons.httpclient<br>Implementation-Vendor: Apache Software Foundation<br>Implementation-Version: 3.1<br>Implementation-Vendor-Id: org.apache<br>X-Compile-Source-JDK: 1.2<br>X-Compile-Target-JDK: 1.2<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>I think different jarsigner versions behave differently, some remove that section.<o:p></o:p></p></div><div><p class=MsoNormal>jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Gruss<o:p></o:p></p></div><p class=MsoNormal>Bernd<o:p></o:p></p><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div></div></div></div></div></div></div></div></body></html>