Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8031572

jarsigner -verify exits with 0 when a jar file is not properly signed

    Details

    • Subcomponent:
    • Resolved In Build:
      b127
    • OS:
      linux
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0-ea"
        Java(TM) SE Runtime Environment (build 1.8.0-ea-b121)
        Java HotSpot(TM) 64-Bit Server VM (build 25.0-b63, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Linux tc 3.12.6-1-ARCH #1 SMP PREEMPT Fri Dec 20 19:39:00 CET 2013 x86_64 GNU/Linux


        A DESCRIPTION OF THE PROBLEM :
        In Apache maven-jarsigner-plugin we got a regression around the jarsigner -verify command applyed to a unsigned jar.

        With jdk 1.7.0_45:

        $> jarsigner -verify tampered.jar
        jarsigner: java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

        Exit code is 1.

        With jdk 1.8.0:

        $> jarsigner -verify tampered.jar
        jar is unsigned. (signatures missing or not parsable)

        Exit code is 0.


        REGRESSION. Last worked in version 7u45

        ADDITIONAL REGRESSION INFORMATION:
        java version "1.7.0_45"
        Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Try on a bad signed jar:

        svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin/src/it/verify-fail/tampered.jar
        run on it jarsigner -verify tampered.jar

        or

        Get the maven-jarsigner-plugin and execute the verify-fail IT

        svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin
        cd maven-jarsigner-plugin
        mvn verify -Prun-its -Dinvoker.pom=src/it/verify-fail/pom.xml



        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Exit code = 1
        ACTUAL -
        Exit code = 0

        REPRODUCIBILITY :
        This bug can be reproduced always.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  14 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: