[RFC][icedtea-web] Signed JNLP file: added regression tests

Jiri Vanek jvanek at redhat.com
Mon Jun 4 03:18:47 PDT 2012 

On 05/31/2012 10:26 PM, Saad Mohammad wrote:
> Hi,
>
>  From previous reviews and suggestions, I have updated the patch which tests the launch of applications with unsigned and signed jnlp file. The test ensures that a signed jnlp file is checked/validated (if found) at launch and the appropriate actions are taken depending on the validation.
>
> * Changelog entry is attached.
>
> On a side note (and as mentioned in my previous email), Oracle's JDK validates the jnlp file (if found within jar) regardless of whether it is signed or not. But according to their specification (section 5.4):
>
> "A JNLP file can optionally be signed. A JNLP Client must check if a signed version of the JNLP file or JNLP template exist, and if so, verify that at least one of them match the JNLP file that is used to launch the application. If a match is not found (see below), then the launch must be aborted. If no signed JNLP file or JNLP template exist, then the JNLP file is not signed, and no check needs to be performed."
>
> "A JNLP file is signed either by including a copy of it in the signed main JAR file, or by including a matching (see below) template file in the signed main JAR file."
>
> After running some tests, I can say IcedTea-Web behaves according to the specification. I'm just curious to whether this is fine or if we would like IcedTea-Web to behave similar to Oracle's JDK. Also, because of this, the unsigned tests (included in the patch) ensures no signed jnlp file is checked (because the jar is unsigned). Any thoughts?
>
> Thanks. :)
>

Ugh. that is laaarg one....
I have just two  minor issue with this patch, once fixed you can push.
1)
You have (jsut few times) soemthing like:

String s = ...
Assert.assert*(".." + s..

In same file you have sometimes this value of s copy pasted. Can you extract it to final global variable and reuse?

2)You have spaces instead of tabs in your changelog. Be sure there are tabs before commit;)
   Also please cut lines (not filenames!) longer then 80chars to 80chars... aprox...O:) I have seen just 6liens worthy of this....

Thanx for tests!

Overall to by-jnlp-signed apps:

I remeber my question:
 >> Q: I thought that jnlp signing is working like this:
 >> 1 - (I'm unsure here) signed jar with JNLP-INF/*  and unsigned jar with the (signed?) same/tempalte_matching jnlp file.
 >> So to test it properly you need to us two jars - signed and unsigned. And ensure that the second one obtains rights or launch terminate.
 >> 2 - or (more probably, but I'm still lost in this signing)  just jnlp file (and few others BUT NOT whole jar) should be signed in jar and the rest is evaluated by comparison of launching jnlp and signed jnlp inside.

 > And reply:
 >     1) A signed JNLP application/template file
 >     2) An unsigned JNLP application/template file
 >     3) A signed jnlp application/template file with case
 >        insensitive filenames
 >
 > I'm currently working on adding a few more tests that will test applications with multiple jars. These tests will be sent in another email very soon :)

You wrote me that it is not necessary to include multpile jars test. But I also rember that you have tested it.. Please provide test or two to catch the behaviour.

I still do not see the reason why you consider those tests as unworthy for prearation.

Thanx again for testing your previous work!-)

J.

More information about the distro-pkg-dev mailing list