On Thu, 13 Jun 2024 14:01:55 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> There is an error in `jarsigner` on the "This JAR contains signed entries > that aren't signed by alias in this keystore" warning. The exit code is > determined by > [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L344) > but the warning message is controlled by > [`allAliasesFound`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L1183). > > Also, inside the `inKeyStoreForOneSigner()` method, all certificates in a > cert chain are used to determine whether the signer is in a keystore and if > any is inside the JAR file is treated as being signed by an alias in this > keystore. In fact, only the end-entity certificate (the first one in the > chain) should be checked. > > After the fix, the `allAliasesFound` field and the `SOME_ALIASES_NOT_FOUND` > constant are useless and can be removed. Main.java needs the copyright updated ------------- PR Review: https://git.openjdk.org/jdk/pull/19701#pullrequestreview-2116170502
