On Tue, 24 Jan 2023 18:54:59 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Precisely `ZipFile::isSignatureRelated` should also contain those `SIG-` > files. Should they though? These files are ultimately read by JarFile.initializeVerifier, which I guess only cares about signature/block files it actually knows how to verify, currently EC, RSA, DSA? > The feature is not used so I cannot say if it's wrong. The JAR File Specification is a bit short on the purpose of these files. I assume they are expected to be verified by code external to the JDK? ------------- PR: https://git.openjdk.org/jdk/pull/11976
