On Tue, 20 Sep 2022 17:47:03 GMT, Lance Andersen <lan...@openjdk.org> wrote:
>> Please review this PR which updates the JarInputStream class description to
>> clarify when the Manifest is accessible via JarInputStream::getManifest and
>> JarInputStream::get[Jar]Entry.
>>
>> It is worth noting that with this update, we are finally documenting
>> behavior that dates back to when this class was added to JDK 1.2
>>
>>
>> Best,
>> Lance
>
> Lance Andersen has updated the pull request incrementally with one additional
> commit since the last revision:
>
> More wordsmithing to the signed jar section
src/java.base/share/classes/java/util/jar/JarInputStream.java line 77:
> 75: * {@link JarEntry#getCertificates()} may be called to obtain the
> certificates
> 76: * for this entry and {@link JarEntry#getCodeSigners()} may be called to
> obtain
> 77: * the signers.
Now that this API has a section about signed JARs, I think it is very
important to include the following sentences which are copied from `JarFile`:
"Please note that the verification process does not include validating the
signer's certificate. A caller should inspect the return value of
[JarEntry.getCodeSigners()](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/util/jar/JarEntry.html#getCodeSigners())
to further determine if the signature can be trusted."
-------------
PR: https://git.openjdk.org/jdk/pull/10045
