On Sun, 9 Feb 2025 05:02:07 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> The jarsigner -verify command currently performs verification by reading from > JarFile to navigate the central directory (CEN) headers. It is now enhanced > to include cross-validation of entries between JarFile (CEN-based) and > JarInputStream (stream-based) representations of the JAR. It emits earnings > when detecting discrepancies between a JAR file’s central directory and its > local file entries. I think we need to stand back from all this validation and consider what validation/checking should be done by jar tool vs. jarsigner tool. I think there is a strong argument to expand what `jar --validate` does (or add a new option) so that the jar tool can do the integrity checks that include the checks to ensure that the CEN and LOC entries are consistent. The `jarsigner -verify` option could augment that with focus on the signing rather than on ZIP or JAR file integrity issues. ------------- PR Comment: https://git.openjdk.org/jdk/pull/23532#issuecomment-2696686476
