Thank you.  Regarding SIG- I was just followed the spec.

Signed JAR File
 <>Overview
A JAR file can be signed by using the command line jarsigner 
<http://docs.oracle.com/javase/7/docs/technotes/guides/security/SecurityToolsSummary.html>
 tool or directly through the java.security API. Every file entry, including 
non-signature related files in the META-INF directory, will be signed if the 
JAR file is signed by the jarsigner tool. The signature related files are:
META-INF/MANIFEST.MF
META-INF/*.SF
META-INF/*.DSA
META-INF/*.RSA
META-INF/SIG-*
Note that if such files are located in META-INF subdirectories, they are not 
considered signature-related. Case-insensitive versions of these filenames are 
reserved and will also not be signed.
Subsets of a JAR file can be signed by using the java.security API. A signed 
JAR file is exactly the same as the original JAR file, except that its manifest 
is updated and two additional files are added to the META-INF directory: a 
signature file and a signature block file. When jarsigner is not used, the 
signing program has to construct both the signature file and the signature 
block file.


> On Nov 7, 2016, at 8:40 AM, Alan Bateman <alan.bate...@oracle.com> wrote:
> 
> 
> n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html
>>  
>> <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
>> https://bugs.openjdk.java.net/browse/JDK-8159393
>> 
> I think this is the link:
>  http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
> 
> I hope someone from the security area will be able to help review this. One 
> thing that isn't clear to me is whether the check for META-INF/SIG-* is 
> right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align with 
> how JAR file verification checks for signed JARs.
> 
> In passing, should the usage and warning use "modular JAR" rather than 
> "modular jar"?
> 
> -Alan
> 

Reply via email to