Re: RFR 8022761: SQE test regression on wrongly signed indexed jar file

Mon, 26 Aug 2013 09:38:53 -0700 

On 08/19/2013 06:11 AM, Weijun Wang wrote:

Hi Sherman

I try out "jar i" after signing and it puts INDEX.LIST at the very beginning of 
the file. Does this mean INDEX.LIST was actually an exception? Or it's just a bug?

Anyway, I think I should update the fix for 8021788 and here is the webrev:

  http://cr.openjdk.java.net/~weijun/8022761/webrev.00/

Now it also skips INDEX.LIST, i.e. update line 142 to

  if (uname.equals(JarFile.MANIFEST_NAME) ||
          uname.equals(JarIndex.INDEX_NAME) ) {

After this change, if INDEX.LIST appears before the MANIFEST and signature-related files, 
it will not be treated as signed. This should usually be true because it only happens 
when you call "jar i" after signing a jar which means INDEX.LIST *is* unsigned.

Thanks
Max

On 8/12/13 12:18 PM, Weijun Wang wrote:

Hi Sherman

SQE observes a regression in their test suite and
the reason is my recent fix for 8021788 at

   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/758e3117899c

The jar file mentioned contains

     66 Mon Jun 04 15:42:18 CST 2007 META-INF/INDEX.LIST
    323 Sat Apr 01 15:47:28 CST 2000 META-INF/MANIFEST.MF
    376 Mon Jun 04 15:41:00 CST 2007 META-INF/MYKEY.SF
    972 Sat Apr 01 15:47:38 CST 2000 META-INF/MYKEY.DSA
      0 Sat Apr 01 15:46:58 CST 2000 META-INF/
      0 Sat Apr 01 15:45:16 CST 2000 test/
     21 Sat Apr 01 15:46:24 CST 2000 test/test0
     21 Sat Apr 01 15:46:18 CST 2000 test/test1
     21 Sat Apr 01 15:46:04 CST 2000 test/test2
     21 Sat Apr 01 15:46:10 CST 2000 test/test3

After JDK-8021788, the file is regarded as an unsigned jar because the
updated JarVerifier goes thru all signature-related files and treats all
others not. Here the first one is not signature-related so none is.

Is fix for JDK-8021788 wrong? Inside JarVerifier.java, we have

   * Assumptions:
   * 1. The manifest should be the first entry in the META-INF directory.
   * 2. The .SF/.DSA/.EC files follow the manifest, before any normal
entries

Is this INDEX.LIST an exception?



Hi Max,

The assumption was made probably before the jar index was introduced(1.3?).
Jar spec never assumes the "order" of the files inside the meta-inf directory
(the spec treats the jar/zip file as a file system, the implementation then 
faces
this issue when the archive is handled in "steam"), but our implementation
does have the assumption. JarInputStream has a similar assumption regarding
the manifest.mf and a workaround for jarindex, if the jarindex is the first one.
I would take it as an implementation details.

The change looks fine.

-Sherman


Thanks
Max

Reply via email to