
<div dir="ltr"><div dir="ltr"><div>Thanks for forwarding me to the right list, Alan</div><div><br></div><div>For context, I posted a follow-up on the core-libs-dev thread yesterday showing that some other methods have the same problem:</div><div><br></div><div><a href="https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html" target="_blank">https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html</a><br></div><div><br></div><div>And here's a draft PR for a fix, including a test which provokes the various code paths:</div><div><br></div><div><a href="https://github.com/openjdk/jdk/pull/11976" target="_blank">https://github.com/openjdk/jdk/pull/11976</a><br></div><div><br></div><div>Cheers,</div><div>Eirik.</div></div><div class="gmail-yj6qo gmail-ajU" style="outline:none;padding:10px 0px;width:22px;margin:2px 0px 0px"><br class="gmail-Apple-interchange-newline"></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 13, 2023 at 9:32 AM Alan Bateman <<a href="mailto:Alan.Bateman@oracle.com">Alan.Bateman@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">


  <div>

    <br>

    Forwarding to security-dev as that is where issues around signed

    JARs are usually discussed.<br>

    <br>

    -Alan.<br>

    <br>

    <br>

    <div>On 10/01/2023 17:00, Eirik Bjørsnøs

      wrote:<br>

    </div>

    <blockquote type="cite">

      
      <div dir="ltr">Hi,

        <div><br>

        </div>

        <div>ZipFile.isSignatureRelated currently returns true for paths

          such as the following:</div>

        <div><br>

        </div>

        <div>META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA<br>

        </div>

        <div><br>

        </div>

        <div>While this path does start with "META-INF/" and ends with

          ".DSA", the file does not live in the META-INF/ directory

          _directly_, but rather several directories below.</div>

        <div><br>

        </div>

        <div>This causes such .DSA files to be incorrectly (?) included

          in the verification of META-INF/MANIFEST.MF in

          JarFile.initializeVerifier, which then fails with: </div>

        <div><br>

        </div>

        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Exception

          in thread "main" java.lang.SecurityException: Invalid

          signature file digest for Manifest main attributes<br>

          at

java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:340)<br>

          at

java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:282)<br>

          at

          java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:327)<br>

          at

          java.base/java.util.jar.JarVerifier.update(JarVerifier.java:239)<br>

          at

          java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:760)<br>

          at

          java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1058)<br>

          at

java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72)<br>

          at

java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:883)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)<br>

          at

java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)<br>

          at

          java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)  </blockquote>

        <div><br>

        </div>

        <div>A few questions:</div>

        <div><br>

        </div>

        <div>1: Where Is the exact location of signature related files

          specified?<br>

        </div>

        <div><br>

        </div>

        <div>2: Is the current behaviour indeed incorrect?</div>

        <div><br>

        </div>

        <div>3: Should ZipFile.isSignatureRelated be updated such that

          it only matches signature related files which reside exactly

          in "META-INF/" ?</div>

        <div><br>

        </div>

        <div>The context for this is that I'm making a fat jar Maven

          plugin which embeds dependency jars by "unpacking" them into

          subdirectories of META-INF/libraries/.</div>

        <div><br>

        </div>

        <div>Cheers,</div>

        <div>Eirik.</div>

      </div>

    </blockquote>

    <br>

  </div>


</blockquote></div>