On Tue, 7 Sep 2021 17:39:20 GMT, Sean Mullan <[email protected]> wrote:
>> src/java.base/share/classes/java/util/jar/JarVerifier.java line 147:
>>
>>> 145:
>>> 146: if (uname.equals(JarFile.MANIFEST_NAME) ||
>>> 147: uname.equals(JarFile.INDEX_NAME)) {
>>
>> It would be useful if someone from security-libs could comment on this. The
>> interaction between signed JAR and JAR index isn't very clear. The change
>> you have is safe but it might be that we can drop the checking for
>> INDEX.LIST here.
>
> I am thinking this line should not be removed for compatibility with existing
> JARs that have indexes.
still keep the code
-------------
PR: https://git.openjdk.java.net/jdk/pull/5383
