On Tue, 30 Jul 2024 22:24:04 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> There is an error in `jarsigner` on the "This JAR contains signed entries >> that aren't signed by alias in this keystore" warning. The exit code is >> determined by >> [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L344) >> but the warning message is controlled by >> [`allAliasesFound`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L1183). >> >> Also, inside the `inKeyStoreForOneSigner()` method, all certificates in a >> cert chain are used to determine whether the signer is in a keystore and if >> any is inside the JAR file is treated as being signed by an alias in this >> keystore. In fact, only the end-entity certificate (the first one in the >> chain) should be checked. >> >> After the fix, the `allAliasesFound` field and the `SOME_ALIASES_NOT_FOUND` >> constant are useless and can be removed. >> >> *Update*: this warning is reclassified as an informational warning in the >> latest commits. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > enhance test to check for severe and informational warnings ❗ Please don't merge without changes ❗ > New commit pushed. > `aliasNotInStore` is no longer considered as a severe warning. > This is reasonable because in a real world we should not expect the JAR file > verifier having the signer's key or certificate in their local keystore. Please do not remove this feature. It is essential for people wanting a strict validation vs. a given certificate. Correct me if I'm wrong, but afaik, without that severe warning, all jarsigner does is validate that *anyone* signed this and there's no way to tell if it was signed by the correct signer. One can, with some investigative skills, figure out the signer and textually compare them (or extract the cert manually), but that is cumbersome and few people will realistically do that. If I read the docs correctly, specifying a keystore should cause jarsigner to emit that strict warning, if the signer's certificate is not in the keystore. I can't test that, though, because [JDK-8330217](https://bugs.openjdk.org/browse/JDK-8330217) blocks my testing. > As long the root CA for the signer is in either `cacerts` or the local > keystore the verification should succeed with no severe warning. I'm not sure how to interpret that "or". Is `cacerts` still used if -keystore is specified? > The jarsigner man page will need to be updated. > > A new `OutputAnalyzer::shouldContainOrderedSequence` method is added to > ensure that a series of strings are contained inside the output in their > order. There has an existing similar method `shouldContainMultiLinePattern` > but it requires the containing lines are consecutive. Therefore a new method > is introduced. ------------- PR Comment: https://git.openjdk.org/jdk/pull/19701#issuecomment-2787840785
