Re: complex signing logic in signjar

22 Mar 2005 15:22:00 -0000

Steve Loughran wrote:
I am reworking signjar to do filesets with dest dirs, and the dependency logic is causing trouble:

    protected boolean isUpToDate(File jarFile, File signedjarFile) {
        if (null == jarFile) {
            return false;
        }

        if (null != signedjarFile) {

            if (!jarFile.exists()) {
              return false;
            }
            if (!signedjarFile.exists()) {
              return false;
            }
            if (jarFile.equals(signedjarFile)) {
              return false;
            }
            if (FILE_UTILS.isUpToDate(jarFile, signedjarFile)) {
                return true;
            }
        } else {
            if (lazy) {
                return isSigned(jarFile);
            }
        }

        return false;
    }


1. the lazy flag is only used if the signedJarfile is empty; that is, we only compare ourself.
if you had <signjar jar="foo.jar" signedjar="foo.jar" /> the check would not take place.

2. but it would engage when checking filesets, because they always run with signedJarFile==null

3. and there is no check that the jar is signed by who is actually signing the JAR now.

Why dont we do an isSigned check whenever the dest jar exists?

No, it makes sense. If a dest jar exists, we dont care if it is signed or not, only if it is older than the source.

when looking at ourselves, timestamps match, so we check then to see if we are signed; it is the only logic left.

I'm changing to the following rules

-no source file: out of date
-source==dest: false or check signature
-else: check timestamp

This seems a lot simpler. The big change is now we explicitly look at the name of the dest file to decide whether to do isSigned() checking

    protected boolean isUpToDate(File jarFile, File signedjarFile) {
        if (null == jarFile && !jarFile.exists()) {
            //these are pathological case, but retained in case somebody
            //subclassed us.
            return false;
        }

        //we normally compare destination with source
        File destFile = signedjarFile;
        if(destFile==null) {
            //but if no dest is specified, compare source to source
            destFile=jarFile;
        }

        //if, by any means, the destfile and source match,
        if (jarFile.equals(destFile)) {
            if (lazy) {
                //we check the presence of signatures on lazy signing
                return isSigned(jarFile);
            }
            //unsigned or non-lazy self signings are always false
            return false;
        }

        //if they are different, the timestamps are used
        return FILE_UTILS.isUpToDate(jarFile, destFile);
    }



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to