On 17/01/2020 10:59, Seán Coffey wrote:
Hi,
Looking to introduce some JDK private functionality which will help
preserve internal zip file attribute permissions when jarsigner is run
on a zip file. Some of the logic is taken from the recent work carried
out in this area for zipfs API.
https://bugs.openjdk.java.net/browse/JDK-8218021
http://cr.openjdk.java.net/~coffeys/webrev.8218021/webrev/
The jarsigner tool is for signing JAR files so it does look strange that
it only preserves the permissions when signing a zip file. So I think I
agree with the other comments that that part of the proposal should be
examined again. If you don't special case then the concerns about the
toLowerCase() usage go away too.
The bigger issue with the proposal is that the signing doesn't cover the
information in the extended extra blocks so they can be tampered with.
I think we need to heard from security-dev on this point. One option
might be to emit a warning when there are permissions. Another is a
jarsigner option to opt-in to preserve the permissions.
-Alan
