JDK-4931281 : Regression: jarsigner fails to verify the jar files
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2_01,5.0
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,solaris_8
  • CPU: generic
  • Submitted: 2003-10-02
  • Updated: 2003-12-17
  • Resolved: 2003-11-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.2_04 04Fixed
Related Reports
Duplicate :  
JDK-4937434 - jarsigner should ignore directories when warning about unsigned entries
Description
We used to sign jar files with a truested certificate (Root or self signed) to remove the "Java Application Window" banner. This worked fine with JDk 1.3.1_x. But there seems to be some regression in JDK 1.4.2_01 jarsigner. Although, jarsigner verifies the jar files but throws the following error:

warning...

jar verified.

Note: This jar contains unsigned entries which are not integrity-checked. Re-run with -verbose to list unsigned entries.

Attached are two jar files to show the problem. jnlp-unsigned.jar and jnlp-signed.jar are unsigned and signed files respectively.

With Java 1.4.2_01-b06....

1) using jnlp.jar as an example...initial check with jarsigner...
      jarsigner -verify jnlp.jar

      jarsigner: java.lang.IllegalStateException: zip file closed  ?????? Surely should say jar not signed.

2) Sign jar with trusted certificate from Verisign:
      jarsigner -keystore \NewPortSrc\make\newport.keyStore -storepass newport jnlp.jar newport.verisign

3) Verify:
      jarsigner -verify -verbose jnlp.jar

        1293 Wed Oct 01 10:48:14 BST 2003 META-INF/MANIFEST.MF
        1346 Wed Oct 01 10:48:14 BST 2003 META-INF/NEWPORT_.SF
        2981 Wed Oct 01 10:48:14 BST 2003 META-INF/NEWPORT_.RSA
           0 Wed Oct 01 10:43:06 BST 2003 META-INF/
           0 Wed Oct 01 10:42:42 BST 2003 javax/
           0 Wed Oct 01 10:42:42 BST 2003 javax/jnlp/
sm       283 Thu Jul 12 17:07:36 BST 2001 javax/jnlp/BasicService.class
sm       276 Thu Jul 12 17:07:40 BST 2001 javax/jnlp/ClipboardService.class
sm      1417 Thu Jul 12 17:07:40 BST 2001 javax/jnlp/DownloadService.class
sm       374 Thu Jul 12 17:07:40 BST 2001 javax/jnlp/DownloadServiceListener.class
sm       684 Thu Jul 12 17:07:38 BST 2001 javax/jnlp/ExtensionInstallerService.class
sm       623 Thu Jul 12 17:07:14 BST 2001 javax/jnlp/FileContents.class
sm       395 Thu Jul 12 17:07:36 BST 2001 javax/jnlp/FileOpenService.class
sm       455 Thu Jul 12 17:07:38 BST 2001 javax/jnlp/FileSaveService.class
sm      1476 Thu Jul 12 17:07:50 BST 2001 javax/jnlp/JNLPRandomAccessFile.class
sm       713 Thu Jul 12 17:07:42 BST 2001 javax/jnlp/PersistenceService.class
sm       375 Thu Jul 12 17:07:40 BST 2001 javax/jnlp/PrintService.class
sm       851 Thu Jul 12 17:06:48 BST 2001 javax/jnlp/ServiceManager.class
sm       328 Thu Jul 12 17:07:08 BST 2001 javax/jnlp/ServiceManagerStub.class
sm       328 Thu Jul 12 17:07:08 BST 2001 javax/jnlp/UnavailableServiceException.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Note: This jar contains unsigned entries which are not integrity-checked. Re-run with -verbose to list unsigned entries.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.4.2_04 tiger-beta FIXED IN: 1.4.2_04 tiger-beta INTEGRATED IN: 1.4.2_04 tiger-b28 tiger-beta VERIFIED IN: 1.4.2_04
14-06-2004
SUGGESTED FIX < * @(#)JarSigner.java 1.52 03/01/23 --- > * @(#)JarSigner.java 1.53 03/11/05 34c34 < * @version 1.52 01/23/03 --- > * @version 1.53 11/05/03 298d297 < jf.close(); 299a299,300 > // Don't use "jf" after it's been closed! > jf.close(); 309c310 < hasUnsignedEntry |= ((!isSigned) && --- > hasUnsignedEntry |= ((!je.isDirectory()) && (!isSigned) &&
11-06-2004
PUBLIC COMMENTS Regression: jarsigner fails to verify the jar files
10-06-2004
EVALUATION There are 2 issues here: 1) jarsigner throws an IllegalStateException when attempting to verify a JAR file which has not been signed. This is a bug which has already been fixed for the Tiger release (see bugid 4874885) 2) jarsigner displays a warning when verifying a signed JAR file when it contains any unsigned elements. This warning is the fix for bugid 4399443. ###@###.### 2003-10-17 will fix the above 2) by ignoring unsigned directory entries when reporting unsigned entries.
17-10-2003