The security entries are (have been) ignored when building the image. At some future date (post-9), we need to decide how to sign an image.
— Jim > On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.w...@oracle.com> wrote: > > The code block below checking if a jar file was signed is correct. > > There is one thing I don't understand, the --strip-signing-information > option. It looks like you will remove the signature-related files if this > option is set. But, where are they stripped? > > Thanks > Max > > On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote: >> Apologies for the poor links earlier. >> >> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html >> https://bugs.openjdk.java.net/browse/JDK-8159393 >> >> >>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.las...@oracle.com> >>> wrote: >>> >>> Revising to >>> >>> String name = entry.name().toUpperCase(Locale.ENGLISH); >>> >>> return name.startsWith("META-INF/") && name.indexOf('/', >>> 9) == -1 && ( >>> name.endsWith(".SF") || >>> name.endsWith(".DSA") || >>> name.endsWith(".RSA") || >>> name.endsWith(".EC") || >>> name.startsWith("META-INF/SIG-") >>> ); >>> >>> >>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.las...@oracle.com> >>>> wrote: >>>> >>>> Right. From SignatureFileVerifier.java >>>> >>>> >>>> /** >>>> * Utility method used by JarVerifier and JarSigner >>>> * to determine the signature file names and PKCS7 block >>>> * files names that are supported >>>> * >>>> * @param s file name >>>> * @return true if the input file name is a supported >>>> * Signature File or PKCS7 block file name >>>> */ >>>> public static boolean isBlockOrSF(String s) { >>>> // we currently only support DSA and RSA PKCS7 blocks >>>> return s.endsWith(".SF") >>>> || s.endsWith(".DSA") >>>> || s.endsWith(".RSA") >>>> || s.endsWith(".EC"); >>>> } >>>> >>>> /** >>>> * Yet another utility method used by JarVerifier and JarSigner >>>> * to determine what files are signature related, which includes >>>> * the MANIFEST, SF files, known signature block files, and other >>>> * unknown signature related files (those starting with SIG- with >>>> * an optional [A-Z0-9]{1,3} extension right inside META-INF). >>>> * >>>> * @param name file name >>>> * @return true if the input file name is signature related >>>> */ >>>> public static boolean isSigningRelated(String name) { >>>> name = name.toUpperCase(Locale.ENGLISH); >>>> if (!name.startsWith("META-INF/")) { >>>> return false; >>>> } >>>> name = name.substring(9); >>>> if (name.indexOf('/') != -1) { >>>> return false; >>>> } >>>> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) { >>>> return true; >>>> } else if (name.startsWith("SIG-")) { >>>> // check filename extension >>>> // see >>>> http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures >>>> // for what filename extensions are legal >>>> int extIndex = name.lastIndexOf('.'); >>>> if (extIndex != -1) { >>>> String ext = name.substring(extIndex + 1); >>>> // validate length first >>>> if (ext.length() > 3 || ext.length() < 1) { >>>> return false; >>>> } >>>> // then check chars, must be in [a-zA-Z0-9] per the jar spec >>>> for (int index = 0; index < ext.length(); index++) { >>>> char cc = ext.charAt(index); >>>> // chars are promoted to uppercase so skip lowercase >>>> checks >>>> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) { >>>> return false; >>>> } >>>> } >>>> } >>>> return true; // no extension is OK >>>> } >>>> return false; >>>> } >>>> >>>> >>>> >>>> >>>> >>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <alan.bate...@oracle.com> wrote: >>>>> >>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote: >>>>> >>>>>> Thank you. Regarding SIG- I was just followed the spec. >>>>>> >>>>> I hope Sean or Max can jump in on this, the other question is .EC as I >>>>> believe the JDK allows this when signing too. >>>>> >>>>> -Alan >>>> >>> >>
