Hi, https://docs.oracle.com/javase/10/docs/specs/jar/jar.html#signature-val idation says: When the jar tool is used to add files, the manifest file is changed (s ections are added to it for the new files), but the signature file is n ot.
It appears to me that using the jar tool to add files to a jar file does not change the jar manifest. The jar manifest is changed by the jarsigner tool when signing the jar. I haven't found the sources of that referenced jar.html and therefore I'm not sure whether my concern still currently applies or has been fixed since JDK 10. I'm also not sure where and how to report this issue. I'd be glad if someone could point me to the right place or forward this message accordingly. A suggested alternative for the sentence in question might be to delete it without replacement. In my opinion, the remaining text would look fine like this: One reason the digest value of the manifest file that is stored in the x-Digest-Manifest attribute may not equal the digest value of the current manifest file is that one or more files were added to the JAR file (using the jar tool) after the signature (and thus the signature file) was generated. A verification is still considered successful if none of the files that were in the JAR file when the signature was generated have been changed since then, which is the case if the digest values in the non-header sections of the signature file equal the digest values of the corresponding sections in the manifest file. When at it already, let me mention that I'm not entirely sure if the term "non-header sections" fits the context optimally. What about "individual sections" or "source file information sections" instead? Philipp
