On Sat, 14 Jan 2023 12:14:54 GMT, Eirik Bjorsnos <d...@openjdk.org> wrote:
>> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980: >> >>> 978: * Returns true iff the entry resides directly in the META-INF/ >>> directory >>> 979: */ >>> 980: private boolean isInMetaInf(ZipEntry ze) { >> >> Maybe move this method and the one in `JarVerifier` to a common place like >> `sun.security.util.SignatureFileVerifier`? > > This duplicated check annoyed me also, but the existing checks have different > behavior: > > - JarVerifier.beginEntry normalizes the path to uppercase, them checks that > it starts with "META-INF/" or "/META-INF/" > - JarSigner.sign0 does not normalize to uppercase , then checks that the path > starts with "META-INF/" > > Introducing a common method would need change behaviour of one of these > methods. This change of behaviour would not be relevant to the bug being > fixed in this PR. > > Since I'm cautious of changing behaviour, I decided to keep the two methods. While `JarSigner` has not normalize to uppercase, the check is the same. As for `/META-INF/`, it must be very broken now since `JarFile::maybeInstantiateVerifier` is using `JUZFA.getManifestName(this,true)` to read the manifest and `ZipFile` will not see the signature-related files. We can probably clean these up in a different PR. ------------- PR: https://git.openjdk.org/jdk/pull/11976