Thank you. Regarding SIG- I was just followed the spec.
Signed JAR File <>Overview A JAR file can be signed by using the command line jarsigner <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SecurityToolsSummary.html> tool or directly through the java.security API. Every file entry, including non-signature related files in the META-INF directory, will be signed if the JAR file is signed by the jarsigner tool. The signature related files are: META-INF/MANIFEST.MF META-INF/*.SF META-INF/*.DSA META-INF/*.RSA META-INF/SIG-* Note that if such files are located in META-INF subdirectories, they are not considered signature-related. Case-insensitive versions of these filenames are reserved and will also not be signed. Subsets of a JAR file can be signed by using the java.security API. A signed JAR file is exactly the same as the original JAR file, except that its manifest is updated and two additional files are added to the META-INF directory: a signature file and a signature block file. When jarsigner is not used, the signing program has to construct both the signature file and the signature block file. > On Nov 7, 2016, at 8:40 AM, Alan Bateman <alan.bate...@oracle.com> wrote: > > > n 07/11/2016 12:29, Jim Laskey (Oracle) wrote: >> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html >> >> <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html> >> https://bugs.openjdk.java.net/browse/JDK-8159393 >> > I think this is the link: > http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html > > I hope someone from the security area will be able to help review this. One > thing that isn't clear to me is whether the check for META-INF/SIG-* is > right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align with > how JAR file verification checks for signed JARs. > > In passing, should the usage and warning use "modular JAR" rather than > "modular jar"? > > -Alan >
