
<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body>

    <br>

    Forwarding to security-dev as that is where issues around signed

    JARs are usually discussed.<br>

    <br>

    -Alan.<br>

    <br>

    <br>

    <div class="moz-cite-prefix">On 10/01/2023 17:00, Eirik Bjørsnøs

      wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:CA+pBWhs9EpASb6JGpcy5x2H4ToRZoALkhv1oJFe0Sw4qExB6dA@mail.gmail.com">

      

      <div dir="ltr">Hi,

        <div><br>

        </div>

        <div>ZipFile.isSignatureRelated currently returns true for paths

          such as the following:</div>

        <div><br>

        </div>

        <div>META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA<br>

        </div>

        <div><br>

        </div>

        <div>While this path does start with "META-INF/" and ends with

          ".DSA", the file does not live in the META-INF/ directory

          _directly_, but rather several directories below.</div>

        <div><br>

        </div>

        <div>This causes such .DSA files to be incorrectly (?) included

          in the verification of META-INF/MANIFEST.MF in

          JarFile.initializeVerifier, which then fails with: </div>

        <div><br>

        </div>

        <blockquote class="gmail_quote" style="margin:0px 0px 0px

          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Exception

          in thread "main" java.lang.SecurityException: Invalid

          signature file digest for Manifest main attributes<br>

          at

java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:340)<br>

          at

java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:282)<br>

          at

          java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:327)<br>

          at

          java.base/java.util.jar.JarVerifier.update(JarVerifier.java:239)<br>

          at

          java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:760)<br>

          at

          java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1058)<br>

          at

java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72)<br>

          at

java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:883)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)<br>

          at

java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)<br>

          at

java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)<br>

          at

          java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)  </blockquote>

        <div><br>

        </div>

        <div>A few questions:</div>

        <div><br>

        </div>

        <div>1: Where Is the exact location of signature related files

          specified?<br>

        </div>

        <div><br>

        </div>

        <div>2: Is the current behaviour indeed incorrect?</div>

        <div><br>

        </div>

        <div>3: Should ZipFile.isSignatureRelated be updated such that

          it only matches signature related files which reside exactly

          in "META-INF/" ?</div>

        <div><br>

        </div>

        <div>The context for this is that I'm making a fat jar Maven

          plugin which embeds dependency jars by "unpacking" them into

          subdirectories of META-INF/libraries/.</div>

        <div><br>

        </div>

        <div>Cheers,</div>

        <div>Eirik.</div>

      </div>

    </blockquote>

    <br>

  </body>

</html>