Bug ID: JDK-6712755 jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other	JDK 6	JDK 7	Other
5.0u23,OpenJDK6Fixed	6u18Fixed	7Fixed	OpenJDK6Fixed

FULL PRODUCT VERSION :
1.5.0_14

ADDITIONAL OS VERSION INFORMATION :
SunOS zstv270715 5.10 Generic_127111-02 sun4v sparc SUNW,SPARC-Enterprise-T5220


A DESCRIPTION OF THE PROBLEM :
jarsigner with JDK 1.5.0_14 fails to sign iTextAsian.jar, this means that the jar file cannot be distributed via Java webstart. We verified that the problem is also present in JDK 1.5.0_15. We are staying at 1.5.0_13 until this problem is resolved.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the jarsigner with iTextAsian.jar

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting jarsigner to sign the jar file.
ACTUAL -
Failed to sign the jar file.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Use jarsigner from JDK 1.5.0_13

Release Regression From : 5.0u13
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

EVALUATION Regression introduced by 6543940. That fix tries to copy the raw header bytes from the old manifest to the new one. When there's no header, it regards the first jar entry section as it. I've fixed the codes to recognize the empty header, which is defined as the bytes before the first empty line. An empty line can be recognized as two consecutive \r\n, or, \r\n at the beginning.
17-06-2009
WORK AROUND Remove the empty MANIFEST.MF entry from the jar file and sign again.
15-06-2009
EVALUATION I've taken a look at the jar file. The problem is that it includes an illegal MANIFEST.MF with only "\r\n" inside, and then bad things happened: 1. jarsigner reads it, thinks it already has a manifest, so hasn't created a new Manifest-Main-Attributes for it. 2. when trying to write the entries to the manifest file one by one, jarsigner removes the first one, which it believes is the Manifest-Main-Attributes and uses the remaining parts as named sections for jar entries. Unfortunately, the first one is a jar entry, which later doesn't get signed. Although the problem is due to the illegal MANIFEST.MF, jarsigner can be enhanced to be more robust.
15-06-2009
EVALUATION I looked into this a little bit more and found a problem. I downloaded iTextAsian.jar from http://www.geocities.com/itextpdf/ (also attached to this CR) and signed it using jarsigner from JDK 5u14. When I verified it, I noticed that one of the jar entries was not signed/hashed: 809 Tue Feb 04 16:28:58 EST 2003 com/lowagie/text/pdf/fonts/cjkfonts.properties jarsigner -verify emits the following warning: Warning: This jar contains unsigned entries which have not been integrity-checked. This does not occur if you sign with jarsigner 5u13.
12-06-2009
EVALUATION I need more information to evaluate this bug report. Please attach at least the following information: 1) The jarsigner command line that you used. Please specify the -verbose option. 2) The output from the jarsigner command, including any errors or exceptions. 3) The iTextAsian.jar that you are signing. 4) Any other information that you think would be useful.
11-06-2009

Relates :	JDK-6901143 - TEST_BUG sun/security/tools/jarsigner/emptymanifest.sh use illegal key -strict for jarsigner
Relates :	JDK-6543940 - Exception thrown when signing a jarfile in java 1.5