On Sat, 14 Jan 2023 12:14:54 GMT, Eirik Bjorsnos <d...@openjdk.org> wrote:
>> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
>>
>>> 978: * Returns true iff the entry resides directly in the META-INF/
>>> directory
>>> 979: */
>>> 980: private boolean isInMetaInf(ZipEntry ze) {
>>
>> Maybe move this method and the one in `JarVerifier` to a common place like
>> `sun.security.util.SignatureFileVerifier`?
>
> This duplicated check annoyed me also, but the existing checks have different
> behavior:
>
> - JarVerifier.beginEntry normalizes the path to uppercase, them checks that
> it starts with "META-INF/" or "/META-INF/"
> - JarSigner.sign0 does not normalize to uppercase , then checks that the path
> starts with "META-INF/"
>
> Introducing a common method would need change behaviour of one of these
> methods. This change of behaviour would not be relevant to the bug being
> fixed in this PR.
>
> Since I'm cautious of changing behaviour, I decided to keep the two methods.
While `JarSigner` has not normalize to uppercase, the check is the same. As for
`/META-INF/`, it must be very broken now since
`JarFile::maybeInstantiateVerifier` is using `JUZFA.getManifestName(this,true)`
to read the manifest and `ZipFile` will not see the signature-related files. We
can probably clean these up in a different PR.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
