On Wed, 18 Jan 2023 13:42:12 GMT, Eirik Bjorsnos <d...@openjdk.org> wrote:
>> When introducing the call to isInMetaInf in isSigningRelated, I accidentally >> broke the matching of MANIFEST.MF and SIG-* files. >> >> When fixing this regression, I now match against the full path instead of >> the existing prefix stripping substring. (A nice side effect of this is that >> isBlockOrSF is now always called with the full path) >> >> Since the regression was not caught by any existing test, I'm also adding a >> sanity check that a basic signed JAR has the expected sections in >> MANIFEST.MF. (The regression introduced a section for META-INF/MANIFEST.MF >> which seemed to not be caught by tests) > > On a similar note, I added test covering for the matching of custom SIG-* > files in SignatureFileVerifier.isSigningRelated. > > The test now checks both valid and invalid SIG- file extensions and directory > locations inside/outside META-INF Added test cases for: - META-INF/unrelated.txt (Unrelated file in META-INF) - META-INF/SIG-CUSTOM (No extension is ok) - META-INF/SIG-CUSTOM2. (Extension too short) - META-INF/SIG-CUSTOM2.ABCD (Extension too long) Reading the Jar File Specification, I cannot see that it explicitly allows no extension for SIG- files, but that's what the current code does. It feels safest to leave it that way. ------------- PR: https://git.openjdk.org/jdk/pull/11976