JDK-4739089 : java web start does not handle signed jars correctly
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 1.2.0
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_nt,windows_2000
  • CPU: x86
  • Submitted: 2002-08-29
  • Updated: 2002-11-19
  • Resolved: 2002-11-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.2 mantisFixed
Related Reports
Duplicate :  
JDK-4785851 - JWS fails to load jars signed and verified with jarsigner that have header info
Description

Name: nt126004			Date: 08/29/2002


FULL PRODUCT VERSION :
java version "1.4.1-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-rc-b19)
Java HotSpot(TM) Client VM (build 1.4.1-rc-b19, mixed mode)

FULL OPERATING SYSTEM VERSION :Windows NT Version 4.0


ADDITIONAL OPERATING SYSTEMS :(probalbly all supported OS)



A DESCRIPTION OF THE PROBLEM :
i wanted to use Apache-Jakrta-POI inmy application and
deploy it with java webstart.
But it looks like webstart still contains the bugs 4348802
and 4348800.
The jarfile jakarta-poi-1.5.1-FINAL-20020615.jar is built
by apache (or the ant-script that came with the source) and
starts like this (jarsingner -verbose -verify):
       33105 Thu Aug 22 15:52:28 CEST 2002 META-
INF/MANIFEST.MF
       32983 Thu Aug 22 15:52:30 CEST 2002 META-INF/MC-DWH.SF
        1088 Thu Aug 22 15:52:30 CEST 2002 META-INF/MC-DWH.DSA
           0 Sat Jun 15 13:43:02 CEST 2002 META-INF/
           0 Sat Jun 15 13:30:54 CEST 2002 org/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/poi/
           0 Sat Jun 15 13:30:54 CEST 2002 org/apache/poi/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/littleendian/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hpsf/wellknown/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/eventmodel/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/model/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/aggregates/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/record/formula/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/records/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/usermodel/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/hssf/util/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/common/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/dev/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/eventfilesystem/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/filesystem/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/property/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/poifs/storage/
           0 Sat Jun 15 13:30:58 CEST 2002 org/apache/poi/util/
sm       410 Sat Jun 15 13:30:58 CEST 2002 log4j.properties

the entries with length == 0 are directories, but webstart
seems to treat them like normal files with length==0 and
throws an exception like this:

Missing signed entry in resource:
http://erlf496a.erlf.siemens.de/dwh/files/fsq/sjakarta-poi-1.5.1-FINAL-20020615.jar

signed jars, that do not include zero-length entries of any
kind seem to be accepted.



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.download jakarta from
http://jakarta.apache.org/builds/jakarta-poi/release/src/
2. sign sjakarta-poi-1.5.1-FINAL-20020615.jar to sjakarta-
poi-1.5.1-FINAL-20020615.jar
3. include that signed jar in any existing JNLP-file

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected:
1.
webstart should consider the type of the entry that is
verified. directory-entries will always have zero length,
and will never be signed, but that does not matter at all.
2.
webstart should not issue error-message of the kind :
"i know what is wrong, but i won't tell you"
instead of just printing a message like "Missing signed
entry in resource: " it should print at least the name of
the entry that is considered to be unsigned.



ERROR MESSAGES/STACK TRACES THAT OCCUR :
  Category: Download Error

Missing signed entry in resource:
http://erlf496a.erlf.siemens.de/dwh/files/fsq/sjakarta-poi-1.5.1-FINAL-
20020615.jar


REPRODUCIBILITY :
This bug can be reproduced always.

-------------- SOURCE CODE -----------------
<jnlp spec="1.0+" version="0.1" href="fsq.jnlp" codebase="http://erlf496a.erlf.s
iemens.de/dwh/files/fsq/">
  <information>
    <title>(TEST)FSQ</title>
    <vendor>SIEMENS AG, A&D MC IT</vendor>
    <homepage href="http://erlf496a.erlf.siemens.de/dwh/files/fsq/index.html" />
    <description kind="one-line">FSQ Test</description>
    <description kind="tooltip">dies ist die aktuelle Entwicklungsversion des FS
Q-Frontends</description>
    <description kind="short">Testversion vom 13.08.2002</description>
    <icon href="fsq_logo.gif" />
    <offline-allowed />
  </information>
  <security>
  </security>
  <resources>
    <j2se version="1.4+"  />
    <jar href="sFSQimages.jar" />
    <jar href="sFSQproperties.jar" />
    <jar href="sFSQini.jar" />
    <jar href="sclasses12.jar" />
    <jar href="scommons-logging-1.0.jar" />
    <jar href="sjakarta-poi-1.5.1-FINAL-20020615.jar" />
    <jar href="sJCT.jar" />
    <jar href="sJCTds.jar" />
    <jar href="sJCE.jar" />
    <jar href="sFSQ.jar" main="true" />
    <property name="user.name" value="FSQ-Frontend" />
    <property name="poi.logging" value="ON" />
    <property name="logging" value="0" />
  </resources>
  <application-desc main-class="FSQMain" />
  <installer-desc main-class="FSQMain" />
</jnlp>
--------------- END SOURCE --------------------
(Review ID: 163604) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: mantis FIXED IN: mantis INTEGRATED IN: mantis mantis-b08
31-08-2004
EVALUATION The problem was caused by some version of jarsigner acting on a jar allready containing a manifest with the contents: > Manifest-Version: 1.0^M > Built-By: Glen Stampoultzis^M > ^M > Name: common^M > Specification-Title: jakarta-poi^M > Specification-Version: 1.5.1^M > Specification-Vendor: Apache Software Foundation^M > Implementation-Title: jakarta-poi^M > Implementation-Version: 1.5.1-final^M > Implementation-Vendor: Apache Software Foundation^M jarisgner would insert this in the middle of the new manifest file it generated. This would then have an entry: > Name: common^M corrisponding to a file not existant in the jar. thus the error. later versions of jarsigner do not have this problem. signing this jar with jarsigner from 1.3.1 or later fixes the problem ###@###.### 2002-08-30 Although the original bug description delt with empty directorys, there have been many jdc comments to this bug dealing with manifest entrys that contain package versioning information that was discarded by jarsigner thru java 1.3.1, and now, due to a fix for bug 4404260: jarsigner discards package versioning information, is now maintained byjarsigner from versions beyond 1.4.0. I am re-opening this question to determine if the assumption javaws is making (that all entries in the manifest must have corrisponding entries in the jar file) is still valid after this change in jarsigner. ###@###.### 2002-11-12
12-11-2002