Thanks for the review Alan. I'm in contact with Max already about
possible follow up enhancements in this area. It would be worked via a
follow on JBS record.
Regarding the error message, I'm fine with your suggestion. We can go
with this then:
"POSIX file permission attributes detected. These attributes are ignored
when signing and are not protected by the signature."
regards,
Sean.
On 02/07/2020 08:59, Alan Bateman wrote:
On 30/06/2020 14:51, Seán Coffey wrote:
:
During the CSR review, a suggestion was made to have jarsigner
preserve such attributes by default. Warnings about these attributes
will also be added during signing and verify operations (if detected).
Yes, signing should be additive so the original proposal to drop
information from the UNIX extra block would be surprising. The
intersection of those using zip/other tools to create zip files and
then signing them with jarsigner is probably small but it would still
be confusing for signing to loose information. Having jarsigner refuse
to sign these zip files by default, with an option to override, would
be a reasonable approach. The current proposal to printing a warning
seems okay too.
I've skimmed through webrev.8218021.v5 which has this warning:
"POSIX file permission attributes detected. Note that these attributes
are unsigned and not protected by the signature."
I realize you've agreed this with the other Reviewers but I think that
"Note that these attributes are unsigned ..." is confusing as it could
be interpreted to mean that they have to be signed by some other
means, or even that the warning is because they are using unsigned
values.
It might be better to tweak the second part to make it a bit clearer,
up to you but something like "These attributes are ignored when
signing and are not protected by the signature".
-Alan
