Re: RFR: 8339280: jarsigner -verify performs cross-checking between CEN and LOC [v13]

Tue, 25 Mar 2025 13:45:43 -0700 

On Fri, 21 Mar 2025 19:23:59 GMT, Hai-May Chao <[email protected]> wrote:

>> The jarsigner -verify command currently performs verification by reading 
>> from JarFile to navigate the central directory (CEN) headers. It is now 
>> enhanced to include cross-validation of entries between JarFile (CEN-based) 
>> and JarInputStream (stream-based) representations of the JAR. It emits 
>> earnings when detecting discrepancies between a JAR file’s central directory 
>> and its local file entries.
>
> Hai-May Chao has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Update test with more ZipEntry in the jar

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1241:

> 1239:         boolean locHasSigners = locSigners != null;
> 1240: 
> 1241:         if (cenHasSigners && locHasSigners) {

So, it's ok if one entry has code signers but the other doesn't?

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1245:

> 1243:             List<CodeSigner> locSignerList = Arrays.asList(locSigners);
> 1244: 
> 1245:             if (!cenSignerList.equals(locSignerList)) {

I think you can just call `Arrays.equals()` here.

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1247:

> 1245:             if (!cenSignerList.equals(locSignerList)) {
> 1246:                 crossChkWarnings.add(String.format(rb.getString(
> 1247:                         
> "signature.mismatch.for.entry.1.when.comparing.jarfile.and.jarinputstream"),

"Signature mismatch" is not accurate in my opinion. This is really just about 
the code signers. Can we change this warning to "Code signers are different for 
entry %s when reading from JarFile and JarInputStream".

I like the words "reading from" instead of "comparing" as it seems to better 
describe what the JarFile and JarInputStream APIs for and how to diagnose the 
issue.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012894677
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012897366
PR Review Comment: https://git.openjdk.org/jdk/pull/23532#discussion_r2012904886

Reply via email to