On Wed, 19 Mar 2025 03:23:17 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading
>> from JarFile to navigate the central directory (CEN) headers. It is now
>> enhanced to include cross-validation of entries between JarFile (CEN-based)
>> and JarInputStream (stream-based) representations of the JAR. It emits
>> earnings when detecting discrepancies between a JAR file’s central directory
>> and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional
> commit since the last revision:
>
> Add testcase for entry name integrity check
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1147:
> 1145: Manifest locManifest = jis.getManifest();
> 1146: if (!compareManifest(cenManifest, locManifest)) {
> 1147: return;
Here and within `compareManifest`, there are multiple early returns. Have you
considered avoiding early returns and accumulating more warnings instead?
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1184:
> 1182: }
> 1183:
> 1184: private void readEntry(InputStream is) throws IOException {
This can be rewritten as `is.transferTo(OutputStream.nullOutputStream())`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2003344786
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2003346301
