JDK-8218021 : Have jarsigner preserve posix permission attributes
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-01-29
  • Updated: 2023-12-04
  • Resolved: 2020-07-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 16
11.0.10-oracleFixed 16 b05Fixed
Related Reports
CSR :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8248263 :  
JDK-8248807 :  
Submitter uses jarsigner to sign zip files. Below is the sample of final signing 
command which use for signing. 

jarsigner -J-Xmx1024m -keystore /path/to/java.keystore -keypass *** 
-storepass *** -tsa timeStampUrl -signedjar SignFileLocation() 
UploadFileLocation() alias 

UploadFileLocation()  --- zip file to be signed, files inside zip(After extracting) has permissions rwxr-xr-x 
SignFileLocation() --- signed zip file, files inside zip(After extracting ) has permissions rw-r--r-- 

jarsigner is changing the file permissions as per the above finding. 

This bug is affecting the release of patches and we could not find a 
straightforward solution. We can sign via openssl, but that creates 
additional files that make the installation of the patch incompatible with 
current machinery and it would not be backward compatible either. 
Fix request (11u) Requesting backport of this fix for Oracle 11.0.10 parity. The change needed some adaptation, 11u RFR thread to be found here: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-November/004118.html

Thanks [~mullan] - docs sub-task created: JDK-8248807

URL: https://hg.openjdk.java.net/jdk/jdk/rev/d886e752a7b0 User: coffeys Date: 2020-07-02 08:21:47 +0000

[~coffeys] Should we also file a related docs issue to add the warning to https://docs.oracle.com/en/java/javase/14/docs/specs/man/jarsigner.html#informational-warnings ? This may also be a good place to add a link to additional information about POSIX file permissions in case users are wondering what this warning means -- perhaps the POSIX file attributes section of the jdk.zipfs module is the best place: https://download.java.net/java/early_access/jdk15/docs/api/jdk.zipfs/module-summary.html.

During CSR review, a new request to have jarsigner preserve such attributes by default was requested. Will make this default behaviour for jarsigner. During the verify operation, jarsigner could also display warnings about non-use of such attributes during verification process.

For zip files, we should examine this special case where external file attributes field is already populated in the central directory for each zip entry. Perhaps we can preserve that value when signing zip files.

Is it possible that you could "double zip" your deliverable ? That way, your internal zip (the real deliverable) is untouched by jarsigner and the contents are still verified by jarsigner. A sample artifact might look like the following: unzip -l doublezip.zip Archive: doublezip.zip Length Date Time Name --------- ---------- ----- ---- 150 2019-08-14 16:14 META-INF/MANIFEST.MF 312 2019-08-14 16:14 META-INF/SEANKEY.SF 1310 2019-08-14 16:14 META-INF/SEANKEY.RSA 164297 2019-08-14 16:13 aug14.zip --------- ------- 166069 4 files where "aug14.zip" is the product that you're interested in.