On Tue, 4 Mar 2025 08:54:06 GMT, Alan Bateman <al...@openjdk.org> wrote:
>> The jarsigner -verify command currently performs verification by reading >> from JarFile to navigate the central directory (CEN) headers. It is now >> enhanced to include cross-validation of entries between JarFile (CEN-based) >> and JarInputStream (stream-based) representations of the JAR. It emits >> earnings when detecting discrepancies between a JAR file’s central directory >> and its local file entries. > > I think we need to stand back from all this validation and consider what > validation/checking should be done by jar tool vs. jarsigner tool. I think > there is a strong argument to expand what `jar --validate` does (or add a new > option) so that the jar tool can do the integrity checks that include the > checks to ensure that the CEN and LOC entries are consistent. The `jarsigner > -verify` option could augment that with focus on the signing rather than on > ZIP or JAR file integrity issues. @AlanBateman Thanks for the comment. As we had internal discussion, we decided to add a small set of integrity checks to jarsigner. The webrev was updated as needed. ------------- PR Comment: https://git.openjdk.org/jdk/pull/23532#issuecomment-2719689109
