Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8215923

jar spec is not precise when describing jar file re-signing

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      No risk. There is no behavior change.
    • Interface Kind:
      Other
    • Scope:
      SE

      Description

      Summary

      The JAR File spec is not precise when describing the JAR file resigning. The jar tool will not add new entries to the manifest. Instead, they are added by the jarsigner tool.

      Problem

      See above.

      Solution

      Fix the words.

      Specification

      Make the following change to the jar spec:

           One reason the digest value of the manifest file that is stored in
           the `x-Digest-Manifest` attribute may not equal the digest value of
      -    the current manifest file is that one or more files were added to
      -    the JAR file (using the jar tool) after the signature (and thus the
      -    signature file) was generated. When the jar tool is used to add
      -    files, the manifest file is changed (sections are added to it for
      -    the new files), but the signature file is not. A verification is
      +    the current manifest file is that it might contain sections for newly
      +    added files after the file was signed. For example, suppose one or
      +    more files were added to the JAR file (using the jar tool) after the
      +    signature (and thus the signature file) was generated. If the JAR
      +    file is signed again by a different signer, then the manifest file is
      +    changed (sections are added to it for the new files by the jarsigner
      +    tool) and a new signature file is created, but the original signature
      +    file is unchanged. A verification on the original signature is
           still considered successful if none of the files that were in the
           JAR file when the signature was generated have been changed since
           then, which is the case if the digest values in the non-header

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                weijun Weijun Wang
                Reviewed By:
                Alan Bateman, Roger Riggs
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: