n 07/11/2016 12:29, Jim Laskey (Oracle) wrote:
http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html
<http://cr.openjdk.java.net/~jlaskey/8159393/webrev/test/tools/jlink/JLinkSigningTest.java.html>
https://bugs.openjdk.java.net/browse/JDK-8159393
I think this is the link:
http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
I hope someone from the security area will be able to help review this.
One thing that isn't clear to me is whether the check for META-INF/SIG-*
is right. Also I assume you need to toUpperCase(Locale.ENGLISH) to align
with how JAR file verification checks for signed JARs.
In passing, should the usage and warning use "modular JAR" rather than
"modular jar"?
-Alan
