Re: RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned

Mon, 07 Nov 2016 05:14:31 -0800 

But I need to be more careful with "Note that if such files are located in 
META-INF subdirectories, they are not considered signature-related.”


> On Nov 7, 2016, at 9:09 AM, Jim Laskey (Oracle) <james.las...@oracle.com> 
> wrote:
> 
> Thank you.  Regarding SIG- I was just followed the spec.
> 
> 
> Signed JAR File
> <>Overview
> A JAR file can be signed by using the command line jarsigner 
> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SecurityToolsSummary.html>
>  tool or directly through the java.security API. Every file entry, including 
> non-signature related files in the META-INF directory, will be signed if the 
> JAR file is signed by the jarsigner tool. The signature related files are:
> META-INF/MANIFEST.MF
> META-INF/*.SF
> META-INF/*.DSA
> META-INF/*.RSA
> META-INF/SIG-*
> Note that if such files are located in META-INF subdirectories, they are not 
> considered signature-related. Case-insensitive versions of these filenames 
> are reserved and will also not be signed.
> Subsets of a JAR file can be signed by using the java.security API. A signed 
> JAR file is exactly the same as the original JAR file, except that its 
> manifest is updated and two additional files are added to the META-INF 
> directory: a signature file and a signature block file. When jarsigner is not 
> used, the signing program has to construct both the signature file and the 
> signature block file.
> 
> 
>> On Nov 7, 2016, at 8:40 AM, Alan Bateman <alan.bate...@oracle.com> wrote:
>> 
>> 
>> n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
>>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html
>>>  
>>> <http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
>>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>> 
>> I think this is the link:
>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>> 
>> I hope someone from the security area will be able to help review this. One 
>> thing that isn't clear to me is whether the check for META-INF/SIG-* is 
>> right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align with 
>> how JAR file verification checks for signed JARs.
>> 
>> In passing, should the usage and warning use "modular JAR" rather than 
>> "modular jar"?
>> 
>> -Alan
>> 
>

Reply via email to