On 11/7/16 9:13 AM, Jim Laskey (Oracle) wrote:
The bug https://bugs.openjdk.java.net/browse/JDK-8159393
<https://bugs.openjdk.java.net/browse/JDK-8159393> is really about
warning developers that their image does not support signing. If
they are okay with that then they can override with
--strip-signing-information.
I find the option name --strip-signing-information a little bit
confusing. To me this implies jlink might remove the signature
information from the original signed modular JAR, which is not what you
are doing, correct? Why not call it "--ignore-signing-information"?
--Sean
— Jim
On Nov 7, 2016, at 10:11 AM, Jim Laskey (Oracle)
<james.las...@oracle.com> wrote:
The security entries are (have been) ignored when building the
image. At some future date (post-9), we need to decide how to sign
an image.
— Jim
On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.w...@oracle.com>
wrote:
The code block below checking if a jar file was signed is
correct.
There is one thing I don't understand, the
--strip-signing-information option. It looks like you will remove
the signature-related files if this option is set. But, where are
they stripped?
Thanks Max
On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote:
Apologies for the poor links earlier.
http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
https://bugs.openjdk.java.net/browse/JDK-8159393
On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle)
<james.las...@oracle.com> wrote:
Revising to
String name = entry.name().toUpperCase(Locale.ENGLISH);
return name.startsWith("META-INF/") && name.indexOf('/', 9)
== -1 && ( name.endsWith(".SF") || name.endsWith(".DSA") ||
name.endsWith(".RSA") || name.endsWith(".EC") ||
name.startsWith("META-INF/SIG-") );
On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle)
<james.las...@oracle.com> wrote:
Right. From SignatureFileVerifier.java
/** * Utility method used by JarVerifier and JarSigner * to
determine the signature file names and PKCS7 block * files
names that are supported * * @param s file name * @return
true if the input file name is a supported *
Signature File or PKCS7 block file name */ public static
boolean isBlockOrSF(String s) { // we currently only
support DSA and RSA PKCS7 blocks return s.endsWith(".SF")
|| s.endsWith(".DSA") || s.endsWith(".RSA") ||
s.endsWith(".EC"); }
/** * Yet another utility method used by JarVerifier and
JarSigner * to determine what files are signature related,
which includes * the MANIFEST, SF files, known signature
block files, and other * unknown signature related files
(those starting with SIG- with * an optional [A-Z0-9]{1,3}
extension right inside META-INF). * * @param name file
name * @return true if the input file name is signature
related */ public static boolean isSigningRelated(String
name) { name = name.toUpperCase(Locale.ENGLISH); if
(!name.startsWith("META-INF/")) { return false; } name =
name.substring(9); if (name.indexOf('/') != -1) { return
false; } if (isBlockOrSF(name) ||
name.equals("MANIFEST.MF")) { return true; } else if
(name.startsWith("SIG-")) { // check filename extension //
see
http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// for what filename extensions are legal
int extIndex = name.lastIndexOf('.'); if (extIndex != -1)
{ String ext = name.substring(extIndex + 1); // validate
length first if (ext.length() > 3 || ext.length() < 1) {
return false; } // then check chars, must be in [a-zA-Z0-9]
per the jar spec for (int index = 0; index < ext.length();
index++) { char cc = ext.charAt(index); // chars are
promoted to uppercase so skip lowercase checks if ((cc <
'A' || cc > 'Z') && (cc < '0' || cc > '9')) { return
false; } } } return true; // no extension is OK } return
false; }
On Nov 7, 2016, at 9:16 AM, Alan Bateman
<alan.bate...@oracle.com> wrote:
On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
Thank you. Regarding SIG- I was just followed the
spec.
I hope Sean or Max can jump in on this, the other
question is .EC as I believe the JDK allows this when
signing too.
-Alan
