On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan <[email protected]> wrote:
> This change adds an API note to these methods recommending that the caller
> should perform further validation steps on the code signers that signed the
> JAR file, such as validating the code signer's certificate chain, and
> determining if the signer should be trusted. There was already a similar
> warning in the `JarFile` and `JarInputStream` class descriptions, but this
> adds a similar and more direct warning at the methods that return the code
> signer's certificates.
>
> 2 other smaller changes:
> - In `JarEntry.getCertificates`, added a recommendation to use the
> `getCodeSigners` method instead
> - Added details of the order of the returned certificates to
> `JarURLConnection.getCertificates` (copied from `JarEntry.getCertificates`)
src/java.base/share/classes/java/util/jar/JarEntry.java line 100:
> 98: * reached. Otherwise, this method will return {@code null}.
> 99: *
> 100: * <p>It is recommended to use the {@link getCodeSigners} method
> instead,
Isn't this missing a `#` to be a valid link?
Suggestion:
* <p>It is recommended to use the {@link #getCodeSigners} method instead,
(Please don't use the "Commit suggestion" button to not include me as author)
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23616#discussion_r1961440218
