Looks good to me. PS. jmods, jars are not modified by jlink. Only a new image directory is generated. So, strip-signing-info confusion is unlikely.
-Sundar On 11/7/2016 9:36 PM, Sean Mullan wrote: > On 11/7/16 9:13 AM, Jim Laskey (Oracle) wrote: >> The bug https://bugs.openjdk.java.net/browse/JDK-8159393 >> <https://bugs.openjdk.java.net/browse/JDK-8159393> is really about >> warning developers that their image does not support signing. If >> they are okay with that then they can override with >> --strip-signing-information. > > I find the option name --strip-signing-information a little bit > confusing. To me this implies jlink might remove the signature > information from the original signed modular JAR, which is not what > you are doing, correct? Why not call it "--ignore-signing-information"? > > --Sean > >> >> — Jim >> >> >> >>> On Nov 7, 2016, at 10:11 AM, Jim Laskey (Oracle) >>> <james.las...@oracle.com> wrote: >>> >>> The security entries are (have been) ignored when building the >>> image. At some future date (post-9), we need to decide how to sign >>> an image. >>> >>> — Jim >>> >>> >>>> On Nov 7, 2016, at 10:06 AM, Wang Weijun <weijun.w...@oracle.com> >>>> wrote: >>>> >>>> The code block below checking if a jar file was signed is >>>> correct. >>>> >>>> There is one thing I don't understand, the >>>> --strip-signing-information option. It looks like you will remove >>>> the signature-related files if this option is set. But, where are >>>> they stripped? >>>> >>>> Thanks Max >>>> >>>> On 11/7/2016 9:48 PM, Jim Laskey (Oracle) wrote: >>>>> Apologies for the poor links earlier. >>>>> >>>>> http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html >>>>> https://bugs.openjdk.java.net/browse/JDK-8159393 >>>>> >>>>> >>>>>> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) >>>>>> <james.las...@oracle.com> wrote: >>>>>> >>>>>> Revising to >>>>>> >>>>>> String name = entry.name().toUpperCase(Locale.ENGLISH); >>>>>> >>>>>> return name.startsWith("META-INF/") && name.indexOf('/', 9) >>>>>> == -1 && ( name.endsWith(".SF") || name.endsWith(".DSA") || >>>>>> name.endsWith(".RSA") || name.endsWith(".EC") || >>>>>> name.startsWith("META-INF/SIG-") ); >>>>>> >>>>>> >>>>>>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) >>>>>>> <james.las...@oracle.com> wrote: >>>>>>> >>>>>>> Right. From SignatureFileVerifier.java >>>>>>> >>>>>>> >>>>>>> /** * Utility method used by JarVerifier and JarSigner * to >>>>>>> determine the signature file names and PKCS7 block * files >>>>>>> names that are supported * * @param s file name * @return >>>>>>> true if the input file name is a supported * >>>>>>> Signature File or PKCS7 block file name */ public static >>>>>>> boolean isBlockOrSF(String s) { // we currently only >>>>>>> support DSA and RSA PKCS7 blocks return s.endsWith(".SF") >>>>>>> || s.endsWith(".DSA") || s.endsWith(".RSA") || >>>>>>> s.endsWith(".EC"); } >>>>>>> >>>>>>> /** * Yet another utility method used by JarVerifier and >>>>>>> JarSigner * to determine what files are signature related, >>>>>>> which includes * the MANIFEST, SF files, known signature >>>>>>> block files, and other * unknown signature related files >>>>>>> (those starting with SIG- with * an optional [A-Z0-9]{1,3} >>>>>>> extension right inside META-INF). * * @param name file >>>>>>> name * @return true if the input file name is signature >>>>>>> related */ public static boolean isSigningRelated(String >>>>>>> name) { name = name.toUpperCase(Locale.ENGLISH); if >>>>>>> (!name.startsWith("META-INF/")) { return false; } name = >>>>>>> name.substring(9); if (name.indexOf('/') != -1) { return >>>>>>> false; } if (isBlockOrSF(name) || >>>>>>> name.equals("MANIFEST.MF")) { return true; } else if >>>>>>> (name.startsWith("SIG-")) { // check filename extension // >>>>>>> see >>>>>>> http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures >>>>>>> >>>>>>> >>>>>>> > // for what filename extensions are legal >>>>>>> int extIndex = name.lastIndexOf('.'); if (extIndex != -1) >>>>>>> { String ext = name.substring(extIndex + 1); // validate >>>>>>> length first if (ext.length() > 3 || ext.length() < 1) { >>>>>>> return false; } // then check chars, must be in [a-zA-Z0-9] >>>>>>> per the jar spec for (int index = 0; index < ext.length(); >>>>>>> index++) { char cc = ext.charAt(index); // chars are >>>>>>> promoted to uppercase so skip lowercase checks if ((cc < >>>>>>> 'A' || cc > 'Z') && (cc < '0' || cc > '9')) { return >>>>>>> false; } } } return true; // no extension is OK } return >>>>>>> false; } >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman >>>>>>>> <alan.bate...@oracle.com> wrote: >>>>>>>> >>>>>>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote: >>>>>>>> >>>>>>>>> Thank you. Regarding SIG- I was just followed the >>>>>>>>> spec. >>>>>>>>> >>>>>>>> I hope Sean or Max can jump in on this, the other >>>>>>>> question is .EC as I believe the JDK allows this when >>>>>>>> signing too. >>>>>>>> >>>>>>>> -Alan >>>>>>> >>>>>> >>>>> >>> >>
