8339280: jarsigner -verify performs cross-checking between CEN and LOC

[franferrax]

Hi, this is a backport of openjdk/jdk17u-dev#3954. The backport is almost clean, except for:

• Trivial context differences in Main.java, Resources.java, Resources_ja.java, and Resources_zh_CN.java
• The English jarsigner.1 manpages have a slightly different format (manually adjusted to match the 11u format)
  • Also, there are 3 identical files for it (Linux, BSD, Solaris)
• There also exist a Japanese version of the jarsigner.1 manpages, they were updated using an LLM translation (giving as context the translations from the resources files, where there is a similar sentence), if any Japanese speaker is reading this, please check it:

  This jar contains internal inconsistencies detected during verification that may result in different contents when reading via JarFile and JarInputStream.
  ⬇️
  このjarには検証中に検出された内部的な不整合があるため、JarFileとJarInputStreamから読み取る場合にコンテンツが異なる可能性があります。

  • I updated src/linux/doc/man/ja/jarsigner.1 and src/solaris/doc/sun/man/man1/ja/jarsigner.1 (identical), and left src/bsd/doc/man/ja/jarsigner.1 untouched (doesn't have any content besides the headers)
  • Tip: these files are encoded in EUC-JP, to open them in VIM use vim -c "e ++enc=EUC-JP" .../ja/jarsigner.1

$\mbox{\color{red}UPDATE}$ (191d5ca): all the internationalized messages have been removed, as they aren't typically included in backports (thanks @jerboaa for letting me know).

Related issues ("relates to" Jira issue links)

JDK-8353299 (openjdk/jdk@acd4da4) and JDK-8367782 (openjdk/jdk@1b9a116) were also included as part of this backport. They are test-only changes that improve the reliability and coverage of VerifyJarEntryName.java.

Since test/hotspot/jtreg/runtime/appcds/SignedJar.java is not failing after the backport, JDK-8353330 was not included.

Testing

• Besides the tier1 run from the GitHub actions (all passed), I ran a regression using the following categories and individual tests:
  • test/hotspot/jtreg/runtime/appcds/SignedJar.java
  • test/jdk/java/security/SignedJar
  • test/jdk/java/util/jar
  • test/jdk/jdk/security/jarsigner
  • test/jdk/sun/security/pkcs/pkcs7
  • test/jdk/sun/security/tools/jarsigner
    • Includes VerifyJarEntryName.java, created for this issue
  • test/jdk/sun/security/tools/keytool

No regressions were found against the current master branch (465fb7d).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8339280 needs maintainer approval
• JDK-8353299 needs maintainer approval
• JDK-8367782 needs maintainer approval

Warning

 ⚠️ Found leading lowercase letter in issue title for 8339280: jarsigner -verify performs cross-checking between CEN and LOC

Issues

• JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC (Enhancement - P4 - Requested)
• JDK-8353299: VerifyJarEntryName.java test fails (Bug - P3 - Requested)
• JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName (Bug - P4 - Requested)

Reviewers

• Alexey Bakhtin (@alexeybakhtin - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3098/head:pull/3098
$ git checkout pull/3098

Update a local copy of the PR:
$ git checkout pull/3098
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3098/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3098

View PR using the GUI difftool:
$ git pr show -t 3098

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3098.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[franferrax]

/issue add 8353299

[franferrax]

/issue add 8367782

[openjdk]

@franferrax
Adding additional issue to issue list: 8353299: VerifyJarEntryName.java test fails.

[openjdk]

@franferrax
Adding additional issue to issue list: 8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName.

[mlbridge]

Webrevs

• 01: Full - Incremental (191d5cad)
• 00: Full (4d0f781b)

[alexeybakhtin]

LGTM

[openjdk]

⚠️ @franferrax This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[franferrax]

/approval request JDK-8339280 enhances the jarsigner utility with cross-validation of JAR entries. Subsequent test updates (JDK-8353299 & JDK-8367782) are included for better reliability and coverage. Please find details about the testing in the pull request description.

[openjdk]

@franferrax
8339280: The approval request has been created successfully.
8353299: The approval request has been created successfully.
8367782: The approval request has been created successfully.