On Wed, 24 Jul 2024 19:12:59 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> There is an error in `jarsigner` on the "This JAR contains signed entries >> that aren't signed by alias in this keystore" warning. The exit code is >> determined by >> [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L344) >> but the warning message is controlled by >> [`allAliasesFound`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L1183). >> >> Also, inside the `inKeyStoreForOneSigner()` method, all certificates in a >> cert chain are used to determine whether the signer is in a keystore and if >> any is inside the JAR file is treated as being signed by an alias in this >> keystore. In fact, only the end-entity certificate (the first one in the >> chain) should be checked. >> >> After the fix, the `allAliasesFound` field and the `SOME_ALIASES_NOT_FOUND` >> constant are useless and can be removed. > > Weijun Wang has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains three additional > commits since the last revision: > > - Merge branch 'master' into 8330217 > - aliasNotInStore not severe > - the fix New commit pushed. `aliasNotInStore` is no longer considered as a severe warning. This is reasonable because in a real world we should not expect the JAR file verifier having the signer's key or certificate in their local keystore. As long the root CA for the signer is in either `cacerts` or the local keystore the verification should succeed with no severe warning. The jarsigner man page will need to be updated. A new `OutputAnalyzer::shouldContainOrderedSequence` method is added to ensure that a series of strings are contained inside the output in their order. There has an existing similar method `shouldContainMultiLinePattern` but it requires the containing lines are consecutive. Therefore a new method is introduced. ------------- PR Comment: https://git.openjdk.org/jdk/pull/19701#issuecomment-2248730195
