It’s the lack of inclusion as oppose to exclusion.
> On Nov 7, 2016, at 10:33 AM, Wang Weijun <weijun.w...@oracle.com> wrote:
>
> Great. I asked the question because you will need the exact same check to
> determine what files should be ignored and I thought they should appear in
> the same webrev. If it's already done somewhere else please make sure it is
> the same.
>
> Thanks
> Max
>
>> 在 2016年11月7日,22:11,Jim Laskey (Oracle) <james.las...@oracle.com> 写道:
>>
>> The security entries are (have been) ignored when building the image. At
>> some future date (post-9), we need to decide how to sign an image.
>>
>> — Jim
>>
>>
>>> On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.w...@oracle.com> wrote:
>>>
>>> The code block below checking if a jar file was signed is correct.
>>>
>>> There is one thing I don't understand, the --strip-signing-information
>>> option. It looks like you will remove the signature-related files if this
>>> option is set. But, where are they stripped?
>>>
>>> Thanks
>>> Max
>>>
>>>> On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote:
>>>> Apologies for the poor links earlier.
>>>>
>>>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
>>>> https://bugs.openjdk.java.net/browse/JDK-8159393
>>>>
>>>>
>>>>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.las...@oracle.com>
>>>>> wrote:
>>>>>
>>>>> Revising to
>>>>>
>>>>> String name = entry.name().toUpperCase(Locale.ENGLISH);
>>>>>
>>>>> return name.startsWith("META-INF/") && name.indexOf('/',
>>>>> 9) == -1 && (
>>>>> name.endsWith(".SF") ||
>>>>> name.endsWith(".DSA") ||
>>>>> name.endsWith(".RSA") ||
>>>>> name.endsWith(".EC") ||
>>>>> name.startsWith("META-INF/SIG-")
>>>>> );
>>>>>
>>>>>
>>>>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle)
>>>>>> <james.las...@oracle.com> wrote:
>>>>>>
>>>>>> Right. From SignatureFileVerifier.java
>>>>>>
>>>>>>
>>>>>> /**
>>>>>> * Utility method used by JarVerifier and JarSigner
>>>>>> * to determine the signature file names and PKCS7 block
>>>>>> * files names that are supported
>>>>>> *
>>>>>> * @param s file name
>>>>>> * @return true if the input file name is a supported
>>>>>> * Signature File or PKCS7 block file name
>>>>>> */
>>>>>> public static boolean isBlockOrSF(String s) {
>>>>>> // we currently only support DSA and RSA PKCS7 blocks
>>>>>> return s.endsWith(".SF")
>>>>>> || s.endsWith(".DSA")
>>>>>> || s.endsWith(".RSA")
>>>>>> || s.endsWith(".EC");
>>>>>> }
>>>>>>
>>>>>> /**
>>>>>> * Yet another utility method used by JarVerifier and JarSigner
>>>>>> * to determine what files are signature related, which includes
>>>>>> * the MANIFEST, SF files, known signature block files, and other
>>>>>> * unknown signature related files (those starting with SIG- with
>>>>>> * an optional [A-Z0-9]{1,3} extension right inside META-INF).
>>>>>> *
>>>>>> * @param name file name
>>>>>> * @return true if the input file name is signature related
>>>>>> */
>>>>>> public static boolean isSigningRelated(String name) {
>>>>>> name = name.toUpperCase(Locale.ENGLISH);
>>>>>> if (!name.startsWith("META-INF/")) {
>>>>>> return false;
>>>>>> }
>>>>>> name = name.substring(9);
>>>>>> if (name.indexOf('/') != -1) {
>>>>>> return false;
>>>>>> }
>>>>>> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
>>>>>> return true;
>>>>>> } else if (name.startsWith("SIG-")) {
>>>>>> // check filename extension
>>>>>> // see
>>>>>> http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
>>>>>> // for what filename extensions are legal
>>>>>> int extIndex = name.lastIndexOf('.');
>>>>>> if (extIndex != -1) {
>>>>>> String ext = name.substring(extIndex + 1);
>>>>>> // validate length first
>>>>>> if (ext.length() > 3 || ext.length() < 1) {
>>>>>> return false;
>>>>>> }
>>>>>> // then check chars, must be in [a-zA-Z0-9] per the jar spec
>>>>>> for (int index = 0; index < ext.length(); index++) {
>>>>>> char cc = ext.charAt(index);
>>>>>> // chars are promoted to uppercase so skip lowercase
>>>>>> checks
>>>>>> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) {
>>>>>> return false;
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>> return true; // no extension is OK
>>>>>> }
>>>>>> return false;
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <alan.bate...@oracle.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
>>>>>>>
>>>>>>>> Thank you. Regarding SIG- I was just followed the spec.
>>>>>>>>
>>>>>>> I hope Sean or Max can jump in on this, the other question is .EC as I
>>>>>>> believe the JDK allows this when signing too.
>>>>>>>
>>>>>>> -Alan
>>>>>>
>>>>>
>>>>
>>
>
