Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8031572

jarsigner -verify exits with 0 when a jar file is not properly signed

    XMLWordPrintable

Details

    • b127
    • linux
    • Verified

    Backports

      Description

        FULL PRODUCT VERSION :
        java version "1.8.0-ea"
        Java(TM) SE Runtime Environment (build 1.8.0-ea-b121)
        Java HotSpot(TM) 64-Bit Server VM (build 25.0-b63, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Linux tc 3.12.6-1-ARCH #1 SMP PREEMPT Fri Dec 20 19:39:00 CET 2013 x86_64 GNU/Linux


        A DESCRIPTION OF THE PROBLEM :
        In Apache maven-jarsigner-plugin we got a regression around the jarsigner -verify command applyed to a unsigned jar.

        With jdk 1.7.0_45:

        $> jarsigner -verify tampered.jar
        jarsigner: java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

        Exit code is 1.

        With jdk 1.8.0:

        $> jarsigner -verify tampered.jar
        jar is unsigned. (signatures missing or not parsable)

        Exit code is 0.


        REGRESSION. Last worked in version 7u45

        ADDITIONAL REGRESSION INFORMATION:
        java version "1.7.0_45"
        Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Try on a bad signed jar:

        svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin/src/it/verify-fail/tampered.jar
        run on it jarsigner -verify tampered.jar

        or

        Get the maven-jarsigner-plugin and execute the verify-fail IT

        svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin
        cd maven-jarsigner-plugin
        mvn verify -Prun-its -Dinvoker.pom=src/it/verify-fail/pom.xml



        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Exit code = 1
        ACTUAL -
        Exit code = 0

        REPRODUCIBILITY :
        This bug can be reproduced always.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8033246 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8033318 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8033641 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8034716 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8057414 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8060943 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8032442 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8032748 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8033351 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8035229 jarsigner -verify exits with 0 when a jar file is not properly signed

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8237604 [TEST_BUG] sun/security/tools/jarsigner/EntriesOrder.java not adapted for changes in JDK-7194449

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Enhancement - null JDK-8021788 JarInputStream doesn't provide certificates for some file under META-INF

            • P3 - Major loss of function.
            • Closed

            Enhancement - null JDK-8031748 Clarify jar entry orders in a jar file

            • P3 - Major loss of function.
            • Resolved

            Activity

              People

                rpallath Rajendrakumar Pallath
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: