On Wed, 25 Jan 2023 17:38:13 GMT, Eirik Bjorsnos <[email protected]> wrote:
> This PR resurrects VerifySignedJar which currently tests nothing.
>
> VerifySignedJar currently verifies a binary JAR which was signed with SHA-1
> back in April 2000. Because SHA-1 signed JARs has been disabled for a while,
> the JAR is treated as unsigned so the test doesn't really test anything as of
> now.
>
> The test is updated in the following ways:
>
> - The JAR used for verification is now created and signed with SHA-256 by the
> test itself
> - The test is updated to check that the JAR is actually signed and with the
> expected certificate
> - JarEntry InputStreams are now read fully to ensure verification of all
> entries
> - Objects.requireNonNull is used to check that entries returned by getEntry,
> getJarEntry are non-null
> - The existing binary JAR is retired
test/jdk/java/util/jar/JarFile/VerifySignedJar.java line 69:
> 67:
> jf.getInputStream(e).transferTo(OutputStream.nullOutputStream());
> 68: // Check that all regular files are signed by duke
> 69: if(!e.getName().startsWith("META-INF/")) {
Suggestion:
if (!e.getName().startsWith("META-INF/")) {
-------------
PR: https://git.openjdk.org/jdk/pull/12206
