8339280: jarsigner -verify performs cross-checking between CEN and LOC

[franferrax]

Hi, this is a backport of openjdk/jdk@bbd5b17. The backport is not clean because of the following reasons.

Internationalization files

21u doesn't have JDK-8345940: Migrate security-related resources from Java classes to properties files (openjdk/jdk@9a49418), so changes from resources/jarsigner.properties, were applied to Resources.java.

Also, internationalized messages were added later, so they have been recovered from JDK-8359761: JDK 25 RDP1 L10n resource files update (openjdk/jdk@da7080f):

• New messages in resources/jarsigner_de.properties were applied to Resources_de.java
• New messages in resources/jarsigner_ja.properties were applied to Resources_ja.java
• New messages in resources/jarsigner_zh_CN.properties were applied to Resources_zh_CN.java

To convert these messages, I created the PropertiesToResources.java small program.

$\mbox{\color{red}UPDATE}$ (5d7505c): all the internationalized messages have been removed, as they aren't typically included in backports (thanks @jerboaa for letting me know).

Man pages

21u doesn't have JDK-8344056: Use markdown format for man pages (openjdk/jdk@475feb0), so changes from jarsigner.md, were applied to jarsigner.1.

Related issues ("relates to" Jira issue links)

JDK-8353299 (openjdk/jdk@acd4da4) and JDK-8367782 (openjdk/jdk@1b9a116) were also included as part of this backport. They are test-only changes that improve the reliability and coverage of VerifyJarEntryName.java.

Since test/hotspot/jtreg/runtime/cds/appcds/SignedJar.java is not failing after the backport, JDK-8353330 was not included.

Testing

• Besides the tier1 run from the GitHub actions (all passed), I ran a regression using the following categories and individual tests:
  • test/hotspot/jtreg/runtime/cds/appcds/SignedJar.java
  • test/jdk/java/security/SignedJar
  • test/jdk/java/util/jar
  • test/jdk/jdk/security/jarsigner
  • test/jdk/sun/security/pkcs/pkcs7
  • test/jdk/sun/security/tools/jarsigner
    • Includes VerifyJarEntryName.java, created for this issue
  • test/jdk/sun/security/tools/keytool

No regressions were found against the current master branch (10df11a).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8339280 needs maintainer approval
• JDK-8353299 needs maintainer approval
• JDK-8367782 needs maintainer approval

Warning

 ⚠️ Found leading lowercase letter in issue title for 8339280: jarsigner -verify performs cross-checking between CEN and LOC

Issues

• JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC (Enhancement - P4 - Approved)
• JDK-8353299: VerifyJarEntryName.java test fails (Bug - P3 - Approved)
• JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName (Bug - P4 - Approved)

Reviewers

• Severin Gehwolf (@jerboaa - Reviewer)
• Alexey Bakhtin (@alexeybakhtin - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk21u-dev.git pull/2235/head:pull/2235
$ git checkout pull/2235

Update a local copy of the PR:
$ git checkout pull/2235
$ git pull https://git.openjdk.org/jdk21u-dev.git pull/2235/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2235

View PR using the GUI difftool:
$ git pr show -t 2235

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk21u-dev/pull/2235.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@franferrax This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8339280: jarsigner -verify performs cross-checking between CEN and LOC
8353299: VerifyJarEntryName.java test fails
8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName

Reviewed-by: sgehwolf, abakhtin

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 30 new commits pushed to the master branch:

• 1bfd049: 8364996: java/awt/font/FontNames/LocaleFamilyNames.java times out on Windows
• 43c84df: 8364484: misc tests fail with Received fatal alert: handshake_failure
• dbb4327: 8360411: [TEST] open/test/jdk/java/io/File/MaxPathLength.java Refactor extract method to encapsulate Windows specific test logic
• ... and 27 more: https://git.openjdk.org/jdk21u-dev/compare/10df11a53aa01ac15386f072dd45fddc3bb03c17...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@jerboaa, @alexeybakhtin) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[franferrax]

/issue add 8353299

[franferrax]

/issue add 8367782

[openjdk]

@franferrax
Adding additional issue to issue list: 8353299: VerifyJarEntryName.java test fails.

[openjdk]

@franferrax
Adding additional issue to issue list: 8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName.

[mlbridge]

Webrevs

• 01: Full - Incremental (5d7505ca)
• 00: Full (69a03371)

[jerboaa]

Please remove changes to Resources_de.java, Resources_ja.java and Resources_zh_CN.java since those are part of a different bug and usually get updated in bulk. Looks good otherwise.

[franferrax]

Thanks @jerboaa, done in 5d7505c.

[alexeybakhtin]

@franferrax Shouldn't we update the copyright years in src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java, src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java, and src/jdk.jartool/share/man/jarsigner.1 files.
It is not part of the original patch because copyright year is 2025 for these files already

[jerboaa]

This looks OK to me.

[jerboaa]

@franferrax Shouldn't we update the copyright years in src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java, src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java, and src/jdk.jartool/share/man/jarsigner.1 files.
It is not part of the original patch because copyright year is 2025 for these files already

Not in a backport.

[openjdk]

⚠️ @franferrax This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[alexeybakhtin]

LGTM

[franferrax]

Thank you for your reviews, @alexeybakhtin and @jerboaa.

[franferrax]

/approval request JDK-8339280 enhances the jarsigner utility with cross-validation of JAR entries. Subsequent test updates (JDK-8353299 & JDK-8367782) are included for better reliability and coverage. Please find details about the testing in the pull request description.

[openjdk]

@franferrax
8339280: The approval request has been created successfully.
8353299: The approval request has been created successfully.
8367782: The approval request has been created successfully.

[jerboaa]

/approve yes

[openjdk]

@jerboaa
8339280: The approval request has been approved.
8353299: The approval request has been approved.
8367782: The approval request has been approved.

[franferrax]

/integrate

[openjdk]

@franferrax
Your change (at version 5d7505c) is now ready to be sponsored by a Committer.

[jerboaa]

/sponsor

[openjdk]

Going to push as commit 3e41a78.
Since your change was applied there have been 30 commits pushed to the master branch:

• 1bfd049: 8364996: java/awt/font/FontNames/LocaleFamilyNames.java times out on Windows
• 43c84df: 8364484: misc tests fail with Received fatal alert: handshake_failure
• dbb4327: 8360411: [TEST] open/test/jdk/java/io/File/MaxPathLength.java Refactor extract method to encapsulate Windows specific test logic
• ... and 27 more: https://git.openjdk.org/jdk21u-dev/compare/10df11a53aa01ac15386f072dd45fddc3bb03c17...master

Your commit was automatically rebased without conflicts.

[openjdk]

@jerboaa @franferrax Pushed as commit 3e41a78.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.