Sean, I'm not an Author (yet! :), so I can't log in to JBS and create issues.
I guess the title and description of the draft PR could serve as a starting point for a bug. Note that the Jar File Specification does explicitly say: "Note that if such files are located in META-INF subdirectories, they are not considered signature-related" Thanks, Eirik. On Fri, Jan 13, 2023 at 6:17 PM Sean Mullan <sean.mul...@oracle.com> wrote: > Off hand it seems like a bug to me, can you file one? The jar > specification says that the SF file resides in the META-INF directory > and says nothing about subdirectories. > > --Sean > > On 1/13/23 6:40 AM, Eirik Bjørsnøs wrote: > > Thanks for forwarding me to the right list, Alan > > > > For context, I posted a follow-up on the core-libs-dev thread yesterday > > showing that some other methods have the same problem: > > > > > https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html > <https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html > > > > > > And here's a draft PR for a fix, including a test which provokes the > > various code paths: > > > > https://github.com/openjdk/jdk/pull/11976 > > <https://github.com/openjdk/jdk/pull/11976> > > > > Cheers, > > Eirik. > > > > > > On Fri, Jan 13, 2023 at 9:32 AM Alan Bateman <alan.bate...@oracle.com > > <mailto:alan.bate...@oracle.com>> wrote: > > > > > > Forwarding to security-dev as that is where issues around signed > > JARs are usually discussed. > > > > -Alan. > > > > > > On 10/01/2023 17:00, Eirik Bjørsnøs wrote: > >> Hi, > >> > >> ZipFile.isSignatureRelated currently returns true for paths such > >> as the following: > >> > >> > > META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA > >> > >> While this path does start with "META-INF/" and ends with ".DSA", > >> the file does not live in the META-INF/ directory _directly_, but > >> rather several directories below. > >> > >> This causes such .DSA files to be incorrectly (?) included in the > >> verification of META-INF/MANIFEST.MF in > >> JarFile.initializeVerifier, which then fails with: > >> > >> Exception in thread "main" java.lang.SecurityException: > >> Invalid signature file digest for Manifest main attributes > >> at > >> > > java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:340) > >> at > >> > > java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:282) > >> at > >> > java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:327) > >> at > >> java.base/java.util.jar.JarVerifier.update(JarVerifier.java:239) > >> at > >> > java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:760) > >> at > >> > java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1058) > >> at > >> > > java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72) > >> at > >> > > java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:883) > >> at > >> > > java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848) > >> at > >> > > java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760) > >> at > >> > > java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681) > >> at > >> > > java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639) > >> at > >> > > java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) > >> at > >> java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) > >> > >> > >> A few questions: > >> > >> 1: Where Is the exact location of signature related files specified? > >> > >> 2: Is the current behaviour indeed incorrect? > >> > >> 3: Should ZipFile.isSignatureRelated be updated such that it only > >> matches signature related files which reside exactly in "META-INF/" > ? > >> > >> The context for this is that I'm making a fat jar Maven plugin > >> which embeds dependency jars by "unpacking" them into > >> subdirectories of META-INF/libraries/. > >> > >> Cheers, > >> Eirik. > > >
