8339280: jarsigner -verify performs cross-checking between CEN and LOC

[franferrax]

Hi, this is a backport of openjdk/jdk21u-dev#2235. The backport is almost clean, except for:

• A slightly different context around Main.java imports
• 17u doesn't have Resources_de.java (changes were discarded)
  • $\mbox{\color{red}UPDATE}$ (ea571bc): all the internationalized messages have been removed, as they aren't typically included in backports (thanks @jerboaa for letting me know).
• The jarsigner.1 manpage has a slightly different format (manually adjusted to match the 17u format)

Related issues ("relates to" Jira issue links)

JDK-8353299 (openjdk/jdk@acd4da4) and JDK-8367782 (openjdk/jdk@1b9a116) were also included as part of this backport. They are test-only changes that improve the reliability and coverage of VerifyJarEntryName.java.

Since test/hotspot/jtreg/runtime/cds/appcds/SignedJar.java is not failing after the backport, JDK-8353330 was not included.

Testing

• Besides the tier1 run from the GitHub actions (all passed), I ran a regression using the following categories and individual tests:
  • test/hotspot/jtreg/runtime/cds/appcds/SignedJar.java
  • test/jdk/java/security/SignedJar
  • test/jdk/java/util/jar
  • test/jdk/jdk/security/jarsigner
  • test/jdk/sun/security/pkcs/pkcs7
  • test/jdk/sun/security/tools/jarsigner
    • Includes VerifyJarEntryName.java, created for this issue
  • test/jdk/sun/security/tools/keytool

No regressions were found against the current master branch (ec6528e).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8339280 needs maintainer approval
• JDK-8353299 needs maintainer approval
• JDK-8367782 needs maintainer approval

Warning

 ⚠️ Found leading lowercase letter in issue title for 8339280: jarsigner -verify performs cross-checking between CEN and LOC

Issues

• JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC (Enhancement - P4 - Approved)
• JDK-8353299: VerifyJarEntryName.java test fails (Bug - P3 - Approved)
• JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName (Bug - P4 - Approved)

Reviewers

• Alexey Bakhtin (@alexeybakhtin - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/3954/head:pull/3954
$ git checkout pull/3954

Update a local copy of the PR:
$ git checkout pull/3954
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/3954/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3954

View PR using the GUI difftool:
$ git pr show -t 3954

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/3954.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@franferrax This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8339280: jarsigner -verify performs cross-checking between CEN and LOC
8353299: VerifyJarEntryName.java test fails
8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName

Reviewed-by: abakhtin

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 60 new commits pushed to the master branch:

• 7828779: 8347129: cpuset cgroups controller is required for no good reason
• 138c1f5: 8355333: Some Problem list entries point to non-existent / wrong files
• 200552e: 8353586: Open source several toolkit tests
• ... and 57 more: https://git.openjdk.org/jdk17u-dev/compare/ec6528e9cf66abe34b9c293359ca11a4b550b7a8...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@alexeybakhtin) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[franferrax]

/issue add 8353299

[franferrax]

/issue add 8367782

[openjdk]

@franferrax
Adding additional issue to issue list: 8353299: VerifyJarEntryName.java test fails.

[openjdk]

@franferrax
Adding additional issue to issue list: 8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName.

[mlbridge]

Webrevs

• 01: Full - Incremental (ea571bc8)
• 00: Full (ec1c644d)

[alexeybakhtin]

Thank you for the backport
LGTM

[openjdk]

⚠️ @franferrax This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[franferrax]

/approval request JDK-8339280 enhances the jarsigner utility with cross-validation of JAR entries. Subsequent test updates (JDK-8353299 & JDK-8367782) are included for better reliability and coverage. Please find details about the testing in the pull request description.

[openjdk]

@franferrax
8339280: The approval request has been created successfully.
8353299: The approval request has been created successfully.
8367782: The approval request has been created successfully.

[GoeLin]

Hi @franferrax,
Next time, please backport on the base of the push to 21. (This should be done always if the backport to 21 was not clean). The important part of that is to make the title "backport <hash in 21>" . You can also use the /backport command in the push to 21, this is especially useful if the backport to 17 from 21 is clean.

This would make the comment of this change very simple:
"Clean backport from 21 except for formatting in the man page jarsigner.1"

Also, please don't do backports to older releases if those to younger ones need reviews. (It's ok if they are clean.)

[franferrax]

/integrate

[openjdk]

@franferrax
Your change (at version ea571bc) is now ready to be sponsored by a Committer.

[alexeybakhtin]

/sponsor

[openjdk]

Going to push as commit 82f1ed6.
Since your change was applied there have been 60 commits pushed to the master branch:

• 7828779: 8347129: cpuset cgroups controller is required for no good reason
• 138c1f5: 8355333: Some Problem list entries point to non-existent / wrong files
• 200552e: 8353586: Open source several toolkit tests
• ... and 57 more: https://git.openjdk.org/jdk17u-dev/compare/ec6528e9cf66abe34b9c293359ca11a4b550b7a8...master

Your commit was automatically rebased without conflicts.

[openjdk]

@alexeybakhtin @franferrax Pushed as commit 82f1ed6.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.