United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6712755 : jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13

Details
Type:
Bug
Submit Date:
2008-06-10
Status:
Closed
Updated Date:
2011-02-16
Project Name:
JDK
Resolved Date:
2009-12-14
Component:
security-libs
OS:
solaris_10
Sub-Component:
java.security
CPU:
sparc
Priority:
P3
Resolution:
Fixed
Affected Versions:
5.0
Fixed Versions:
5.0u23 (b01)

Related Reports
Backport:
Backport:
Backport:
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
1.5.0_14

ADDITIONAL OS VERSION INFORMATION :
SunOS zstv270715 5.10 Generic_127111-02 sun4v sparc SUNW,SPARC-Enterprise-T5220


A DESCRIPTION OF THE PROBLEM :
jarsigner with JDK 1.5.0_14 fails to sign iTextAsian.jar, this means that the jar file cannot be distributed via Java webstart. We verified that the problem is also present in JDK 1.5.0_15. We are staying at 1.5.0_13 until this problem is resolved.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the jarsigner with iTextAsian.jar

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting jarsigner to sign the jar file.
ACTUAL -
Failed to sign the jar file.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Use jarsigner from JDK 1.5.0_13

Release Regression From : 5.0u13
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

Regression introduced by 6543940.

That fix tries to copy the raw header bytes from the old manifest to the new one. When there's no header, it regards the first jar entry section as it. I've fixed the codes to recognize the empty header, which is defined as the bytes before the first empty line. An empty line can be recognized as two consecutive \r\n, or, \r\n at the beginning.
                                     
2009-06-17
EVALUATION

I've taken a look at the jar file. The problem is that it includes an illegal MANIFEST.MF with only "\r\n" inside, and then bad things happened:

1. jarsigner reads it, thinks it already has a manifest, so hasn't created a new Manifest-Main-Attributes for it.

2. when trying to write the entries to the manifest file one by one, jarsigner *removes the first one*, which it believes is the Manifest-Main-Attributes and uses the remaining parts as named sections for jar entries. Unfortunately, the first one is a jar entry, which later doesn't get signed.

Although the problem is due to the illegal MANIFEST.MF, jarsigner can be enhanced to be more robust.
                                     
2009-06-15
WORK AROUND

Remove the empty MANIFEST.MF entry from the jar file and sign again.
                                     
2009-06-15
EVALUATION

I looked into this a little bit more and found a problem. I downloaded iTextAsian.jar from http://www.geocities.com/itextpdf/ (also attached to this CR) and signed it using jarsigner from JDK 5u14. When I verified it, I noticed that one of the jar entries was not signed/hashed:

         809 Tue Feb 04 16:28:58 EST 2003 com/lowagie/text/pdf/fonts/cjkfonts.properties

jarsigner -verify emits the following warning:

Warning: This jar contains unsigned entries which have not been integrity-checked.

This does not occur if you sign with jarsigner 5u13.
                                     
2009-06-12
EVALUATION

I need more information to evaluate this bug report. Please attach at least the following information:

1) The jarsigner command line that you used. Please specify the -verbose option.

2) The output from the jarsigner command, including any errors or exceptions.

3) The iTextAsian.jar that you are signing.

4) Any other information that you think would be useful.
                                     
2009-06-11



Hardware and Software, Engineered to Work Together