> > ZipFile.isSignatureRelated currently returns true for paths such as the > following: > > > META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA >
I found a couple more call sites of SignatureFileVerifier.isBlockOrSF which incorrectly treat [SF,DSA,RSA,EC] files as signature related even when they reside in subdirectories of META-INF/: o JarVerifier.beginEntry incorrectly sets up verification o JarSigner.sign0 incorrectly identifies a jar as already signed, even when it is not I have made a draft PR which updates these call sites to require files to reside directly in META-INF/ before they are considered signature related: https://github.com/openjdk/jdk/pull/11976 The PR includes a new test which verifies that subdirectory signature files are indeed ignored by the updated code Feedback on this PR is welcome! A few questions: > > 1: Where Is the exact location of signature related files specified? > I'm assuming the JAR File Specification is the normative source here [1] > 2: Is the current behaviour indeed incorrect? > The spec says: "Note that if such files are located in META-INF subdirectories, they are not considered signature-related" > 3: Should ZipFile.isSignatureRelated be updated such that it only matches > signature related files which reside exactly in "META-INF/" ? > I guess there is a risk that jar files may exist which are signed with signature files in subdirectories. If such files exist, they are not produced with jarsigner and they are not according to the spec. Eirik.
