8339280: jarsigner -verify performs cross-checking between CEN and LOC

[franferrax]

Hi, this is a backport of openjdk/jdk17u-dev#3954. The backport is almost clean, except for:

• Trivial context differences in Main.java, Resources.java, Resources_ja.java, and Resources_zh_CN.java
• The English jarsigner.1 manpages have a slightly different format (manually adjusted to match the 11u format)
  • Also, there are 3 identical files for it (Linux, BSD, Solaris)
• There also exist a Japanese version of the jarsigner.1 manpages, they were updated using an LLM translation (giving as context the translations from the resources files, where there is a similar sentence), if any Japanese speaker is reading this, please check it:

  This jar contains internal inconsistencies detected during verification that may result in different contents when reading via JarFile and JarInputStream.
  ⬇️
  このjarには検証中に検出された内部的な不整合があるため、JarFileとJarInputStreamから読み取る場合にコンテンツが異なる可能性があります。

  • I updated src/linux/doc/man/ja/jarsigner.1 and src/solaris/doc/sun/man/man1/ja/jarsigner.1 (identical), and left src/bsd/doc/man/ja/jarsigner.1 untouched (doesn't have any content besides the headers)
  • Tip: these files are encoded in EUC-JP, to open them in VIM use vim -c "e ++enc=EUC-JP" .../ja/jarsigner.1

$\mbox{\color{red}UPDATE}$ (191d5ca): all the internationalized messages have been removed, as they aren't typically included in backports (thanks @jerboaa for letting me know).

Related issues ("relates to" Jira issue links)

JDK-8353299 (openjdk/jdk@acd4da4) and JDK-8367782 (openjdk/jdk@1b9a116) were also included as part of this backport. They are test-only changes that improve the reliability and coverage of VerifyJarEntryName.java.

Since test/hotspot/jtreg/runtime/appcds/SignedJar.java is not failing after the backport, JDK-8353330 was not included.

Testing

• Besides the tier1 run from the GitHub actions (all passed), I ran a regression using the following categories and individual tests:
  • test/hotspot/jtreg/runtime/appcds/SignedJar.java
  • test/jdk/java/security/SignedJar
  • test/jdk/java/util/jar
  • test/jdk/jdk/security/jarsigner
  • test/jdk/sun/security/pkcs/pkcs7
  • test/jdk/sun/security/tools/jarsigner
    • Includes VerifyJarEntryName.java, created for this issue
  • test/jdk/sun/security/tools/keytool

No regressions were found against the current master branch (465fb7d).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8339280 needs maintainer approval
• JDK-8353299 needs maintainer approval
• JDK-8367782 needs maintainer approval

Warning

 ⚠️ Found leading lowercase letter in issue title for 8339280: jarsigner -verify performs cross-checking between CEN and LOC

Issues

• JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC (Enhancement - P4 - Approved)
• JDK-8353299: VerifyJarEntryName.java test fails (Bug - P3 - Approved)
• JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName (Bug - P4 - Approved)

Reviewers

• Alexey Bakhtin (@alexeybakhtin - Reviewer)
• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3098/head:pull/3098
$ git checkout pull/3098

Update a local copy of the PR:
$ git checkout pull/3098
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3098/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3098

View PR using the GUI difftool:
$ git pr show -t 3098

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3098.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@franferrax This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8339280: jarsigner -verify performs cross-checking between CEN and LOC
8353299: VerifyJarEntryName.java test fails
8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName

Reviewed-by: abakhtin, sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 20 new commits pushed to the master branch:

• 9c5f0dd: Merge
• d3b1c2b: 8360937: Enhance certificate handling
• 2c7f456: 8356294: Enhance Path Factories
• ... and 17 more: https://git.openjdk.org/jdk11u-dev/compare/465fb7df15176dfe7a044241c8f44411b307df4c...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@alexeybakhtin, @jerboaa) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[franferrax]

/issue add 8353299

[franferrax]

/issue add 8367782

[openjdk]

@franferrax
Adding additional issue to issue list: 8353299: VerifyJarEntryName.java test fails.

[openjdk]

@franferrax
Adding additional issue to issue list: 8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName.

[mlbridge]

Webrevs

• 01: Full - Incremental (191d5cad)
• 00: Full (4d0f781b)

[alexeybakhtin]

LGTM

[openjdk]

⚠️ @franferrax This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[franferrax]

/approval request JDK-8339280 enhances the jarsigner utility with cross-validation of JAR entries. Subsequent test updates (JDK-8353299 & JDK-8367782) are included for better reliability and coverage. Please find details about the testing in the pull request description.

[openjdk]

@franferrax
8339280: The approval request has been created successfully.
8353299: The approval request has been created successfully.
8367782: The approval request has been created successfully.

[bridgekeeper]

@franferrax This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[franferrax]

@gnu-andrew, @jerboaa: please consider these issues for jdk-11.0.30.

[jerboaa]

Looks OK to me.

[jerboaa]

/approve yes

[openjdk]

@jerboaa
8339280: The approval request has been approved.
8353299: The approval request has been approved.
8367782: The approval request has been approved.

[franferrax]

/integrate

[openjdk]

@franferrax
Your change (at version 191d5ca) is now ready to be sponsored by a Committer.

[phohensee]

/sponsor

[openjdk]

Going to push as commit c40bce3.
Since your change was applied there have been 20 commits pushed to the master branch:

• 9c5f0dd: Merge
• d3b1c2b: 8360937: Enhance certificate handling
• 2c7f456: 8356294: Enhance Path Factories
• ... and 17 more: https://git.openjdk.org/jdk11u-dev/compare/465fb7df15176dfe7a044241c8f44411b307df4c...master

Your commit was automatically rebased without conflicts.

[openjdk]

@phohensee @franferrax Pushed as commit c40bce3.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.