Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The signed jar entries aren't in specific order to be consumed by java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs #85

Open
tsiddiq opened this issue May 22, 2024 · 1 comment
Open

The signed jar entries aren't in specific order to be consumed by java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs #85

tsiddiq opened this issue May 22, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@tsiddiq
Copy link

tsiddiq commented May 22, 2024

The Eclipse (which is using java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs) is not showing the jar plugins as signed ones which are signed by SignServer. It is because of the order of the Jar archive entries (i.e., jar -tf ), the way Java JarInputStream and JarVerifier APIs expect them to be (found out after deep dive into eclipse and java jar APIs). The JarVerifier expects META-INF/MANIFEST.MF should be the first or second entry and the *.SF and *.RSA file at second and third respectively. And then the remaining files in any order.

Just for showing the difference, I'm dumping one of the eclipse opensource plugin entries signed by two different approaches.

Jar entries from the plugin signed with jarsigner locally:

META-INF/MANIFEST.MF
META-INF/EXAMPLE.SF
META-INF/EXAMPLE.RSA
META-INF/
org/
org/eclipse/
org/eclipse/cdt/
org/eclipse/cdt/gdb/
org/eclipse/cdt/gdb/internal/
org/eclipse/cdt/gdb/internal/eventbkpts/
org/eclipse/cdt/gdb/eventbkpts/
org/eclipse/cdt/gdb/internal/Activator.class
org/eclipse/cdt/gdb/internal/eventbkpts/GdbCatchpoints.class
org/eclipse/cdt/gdb/eventbkpts/IEventBreakpointConstants.class
about.mappings
cdt_logo_icon32.png
about.properties
about.html
about.ini
plugin.properties

Jar entries from the plugin signed with SignServer (EE):

META-INF/
META-INF/MANIFEST.MF
org/
org/eclipse/
org/eclipse/cdt/
org/eclipse/cdt/gdb/
org/eclipse/cdt/gdb/eventbkpts/
org/eclipse/cdt/gdb/internal/
org/eclipse/cdt/gdb/internal/eventbkpts/
about.html
about.ini
about.mappings
about.properties
cdt_logo_icon32.png
org/eclipse/cdt/gdb/eventbkpts/IEventBreakpointConstants.class
org/eclipse/cdt/gdb/internal/Activator.class
org/eclipse/cdt/gdb/internal/eventbkpts/GdbCatchpoints.class
plugin.properties
META-INF/SIGNSERV.SF
META-INF/SIGNSERV.RSA

So I had to post processing the signserver's signed jar file to fix the order of its entries. IMO, it should be fixed in SignServer.
@tsiddiq tsiddiq added the bug Something isn't working label May 22, 2024
@mlundblad
Copy link
Collaborator

So, in essence we would probably need to make sure the .SF and .RSA (or .EC, I think it was when using ECDSA keys).
I remember we had some other issues with manifest entry ordering, so we need to take care to cover different cases when making changes.

Will take a look at this.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlundblad @tsiddiq