The bug https://bugs.openjdk.java.net/browse/JDK-8159393 <https://bugs.openjdk.java.net/browse/JDK-8159393> is really about warning developers that their image does not support signing. If they are okay with that then they can override with --strip-signing-information.
— Jim > On Nov 7, 2016, at 10:11 AM, Jim Laskey (Oracle) <james.las...@oracle.com> > wrote: > > The security entries are (have been) ignored when building the image. At > some future date (post-9), we need to decide how to sign an image. > > — Jim > > >> On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.w...@oracle.com> wrote: >> >> The code block below checking if a jar file was signed is correct. >> >> There is one thing I don't understand, the --strip-signing-information >> option. It looks like you will remove the signature-related files if this >> option is set. But, where are they stripped? >> >> Thanks >> Max >> >> On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote: >>> Apologies for the poor links earlier. >>> >>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html >>> https://bugs.openjdk.java.net/browse/JDK-8159393 >>> >>> >>>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.las...@oracle.com> >>>> wrote: >>>> >>>> Revising to >>>> >>>> String name = entry.name().toUpperCase(Locale.ENGLISH); >>>> >>>> return name.startsWith("META-INF/") && name.indexOf('/', >>>> 9) == -1 && ( >>>> name.endsWith(".SF") || >>>> name.endsWith(".DSA") || >>>> name.endsWith(".RSA") || >>>> name.endsWith(".EC") || >>>> name.startsWith("META-INF/SIG-") >>>> ); >>>> >>>> >>>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.las...@oracle.com> >>>>> wrote: >>>>> >>>>> Right. From SignatureFileVerifier.java >>>>> >>>>> >>>>> /** >>>>> * Utility method used by JarVerifier and JarSigner >>>>> * to determine the signature file names and PKCS7 block >>>>> * files names that are supported >>>>> * >>>>> * @param s file name >>>>> * @return true if the input file name is a supported >>>>> * Signature File or PKCS7 block file name >>>>> */ >>>>> public static boolean isBlockOrSF(String s) { >>>>> // we currently only support DSA and RSA PKCS7 blocks >>>>> return s.endsWith(".SF") >>>>> || s.endsWith(".DSA") >>>>> || s.endsWith(".RSA") >>>>> || s.endsWith(".EC"); >>>>> } >>>>> >>>>> /** >>>>> * Yet another utility method used by JarVerifier and JarSigner >>>>> * to determine what files are signature related, which includes >>>>> * the MANIFEST, SF files, known signature block files, and other >>>>> * unknown signature related files (those starting with SIG- with >>>>> * an optional [A-Z0-9]{1,3} extension right inside META-INF). >>>>> * >>>>> * @param name file name >>>>> * @return true if the input file name is signature related >>>>> */ >>>>> public static boolean isSigningRelated(String name) { >>>>> name = name.toUpperCase(Locale.ENGLISH); >>>>> if (!name.startsWith("META-INF/")) { >>>>> return false; >>>>> } >>>>> name = name.substring(9); >>>>> if (name.indexOf('/') != -1) { >>>>> return false; >>>>> } >>>>> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) { >>>>> return true; >>>>> } else if (name.startsWith("SIG-")) { >>>>> // check filename extension >>>>> // see >>>>> http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures >>>>> // for what filename extensions are legal >>>>> int extIndex = name.lastIndexOf('.'); >>>>> if (extIndex != -1) { >>>>> String ext = name.substring(extIndex + 1); >>>>> // validate length first >>>>> if (ext.length() > 3 || ext.length() < 1) { >>>>> return false; >>>>> } >>>>> // then check chars, must be in [a-zA-Z0-9] per the jar spec >>>>> for (int index = 0; index < ext.length(); index++) { >>>>> char cc = ext.charAt(index); >>>>> // chars are promoted to uppercase so skip lowercase >>>>> checks >>>>> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) { >>>>> return false; >>>>> } >>>>> } >>>>> } >>>>> return true; // no extension is OK >>>>> } >>>>> return false; >>>>> } >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <alan.bate...@oracle.com> wrote: >>>>>> >>>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote: >>>>>> >>>>>>> Thank you. Regarding SIG- I was just followed the spec. >>>>>>> >>>>>> I hope Sean or Max can jump in on this, the other question is .EC as I >>>>>> believe the JDK allows this when signing too. >>>>>> >>>>>> -Alan >>>>> >>>> >>> >
