United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4739089 : java web start does not handle signed jars correctly

Details
Type:
Bug
Submit Date:
2002-08-29
Status:
Resolved
Updated Date:
2002-11-19
Project Name:
JDK
Resolved Date:
2002-11-19
Component:
deploy
OS:
windows_nt,windows_2000
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
1.2.0
Fixed Versions:
1.4.2 (mantis)

Related Reports
Duplicate:

Sub Tasks

Description

Name: nt126004			Date: 08/29/2002


FULL PRODUCT VERSION :
java version "1.4.1-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-rc-b19)
Java HotSpot(TM) Client VM (build 1.4.1-rc-b19, mixed mode)

FULL OPERATING SYSTEM VERSION :Windows NT Version 4.0


ADDITIONAL OPERATING SYSTEMS :(probalbly all supported OS)



A DESCRIPTION OF THE PROBLEM :
i wanted to use Apache-Jakrta-POI inmy application and
deploy it with java webstart.
But it looks like webstart still contains the bugs 4348802
and 4348800.
The jarfile jakarta-poi-1.5.1-FINAL-20020615.jar is built
by apache (or the ant-script that came with the source) and
starts like this (jarsingner -verbose -verify):
       33105 Thu Aug 22 15:52:28 CEST 2002 META-
INF/MANIFEST.MF
       32983 Thu Aug 22 15:52:30 CEST 2002 META-INF/MC-DWH.SF
        1088 Thu Aug 22 15:52:30 CEST 2002 META-INF/MC-DWH.DSA
           0 Sat Jun 15 13:43:02 CEST 2002 META-INF/
           0 Sat Jun 15 13:30:54 CEST 2002 org/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/poi/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/poi/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/littleendian/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/wellknown/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/eventmodel/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/model/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/aggregates/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/formula/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/records/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/usermodel/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/util/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/common/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/eventfilesystem/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/filesystem/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/property/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/storage/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/util/
sm       410 Sat Jun 15 13:30:58 CEST 2002 log4j.properties

the entries with length == 0 are directories, but webstart
seems to treat them like normal files with length==0 and
throws an exception like this:

Missing signed entry in resource:
http://erlf496a.erlf.siemens.de/dwh/files/fsq/sjakarta-poi-1.5.1-FINAL-20020615.jar

signed jars, that do not include zero-length entries of any
kind seem to be accepted.



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.download jakarta from
http://jakarta.apache.org/builds/jakarta-poi/release/src/
2. sign sjakarta-poi-1.5.1-FINAL-20020615.jar to sjakarta-
poi-1.5.1-FINAL-20020615.jar
3. include that signed jar in any existing JNLP-file

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected:
1.
webstart should consider the type of the entry that is
verified. directory-entries will always have zero length,
and will never be signed, but that does not matter at all.
2.
webstart should not issue error-message of the kind :
"i know what is wrong, but i won't tell you"
instead of just printing a message like "Missing signed
entry in resource: " it should print at least the name of
the entry that is considered to be unsigned.



ERROR MESSAGES/STACK TRACES THAT OCCUR :
  Category: Download Error

Missing signed entry in resource:
http://erlf496a.erlf.siemens.de/dwh/files/fsq/sjakarta-poi-1.5.1-FINAL-
20020615.jar


REPRODUCIBILITY :
This bug can be reproduced always.

-------------- SOURCE CODE -----------------
<jnlp spec="1.0+" version="0.1" href="fsq.jnlp" codebase="http://erlf496a.erlf.s
iemens.de/dwh/files/fsq/">
  <information>
    <title>(TEST)FSQ</title>
    <vendor>SIEMENS AG, A&D MC IT</vendor>
    <homepage href="http://erlf496a.erlf.siemens.de/dwh/files/fsq/index.html" />
    <description kind="one-line">FSQ Test</description>
    <description kind="tooltip">dies ist die aktuelle Entwicklungsversion des FS
Q-Frontends</description>
    <description kind="short">Testversion vom 13.08.2002</description>
    <icon href="fsq_logo.gif" />
    <offline-allowed />
  </information>
  <security>
  </security>
  <resources>
    <j2se version="1.4+"  />
    <jar href="sFSQimages.jar" />
    <jar href="sFSQproperties.jar" />
    <jar href="sFSQini.jar" />
    <jar href="sclasses12.jar" />
    <jar href="scommons-logging-1.0.jar" />
    <jar href="sjakarta-poi-1.5.1-FINAL-20020615.jar" />
    <jar href="sJCT.jar" />
    <jar href="sJCTds.jar" />
    <jar href="sJCE.jar" />
    <jar href="sFSQ.jar" main="true" />
    <property name="user.name" value="FSQ-Frontend" />
    <property name="poi.logging" value="ON" />
    <property name="logging" value="0" />
  </resources>
  <application-desc main-class="FSQMain" />
  <installer-desc main-class="FSQMain" />
</jnlp>
--------------- END SOURCE --------------------
(Review ID: 163604) 
======================================================================

                                    

Comments
EVALUATION

The problem was caused by some version of jarsigner acting on a jar allready
containing a manifest with the contents:
> Manifest-Version: 1.0^M 
> Built-By: Glen Stampoultzis^M
> ^M
> Name: common^M
> Specification-Title: jakarta-poi^M
> Specification-Version: 1.5.1^M
> Specification-Vendor: Apache Software Foundation^M
> Implementation-Title: jakarta-poi^M
> Implementation-Version: 1.5.1-final^M
> Implementation-Vendor: Apache Software Foundation^M 

jarisgner would insert this in the middle of the new manifest file it generated.
This would then have an entry:
> Name: common^M
corrisponding to a file not existant in the jar.  thus the error.

later versions of jarsigner do not have this problem.
signing this jar with jarsigner from 1.3.1 or later fixes the problem

###@###.### 2002-08-30


Although the original bug description delt with empty directorys, there have been many jdc comments to this bug dealing with manifest entrys that contain
package versioning information that was discarded by jarsigner thru java 1.3.1,
and now, due to a fix for bug 4404260: jarsigner discards package versioning information, is now maintained byjarsigner from versions beyond 1.4.0.
I am re-opening this question to determine if the assumption javaws is making (that all entries in the manifest must have corrisponding entries in the jar file) is still valid after this change in jarsigner.

###@###.### 2002-11-12
                                     
2002-11-12
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
mantis

FIXED IN:
mantis

INTEGRATED IN:
mantis
mantis-b08


                                     
2004-08-31



Hardware and Software, Engineered to Work Together