From the beginning, the jar file has an “undocumented” assumption that the MANIFEST.MF file and signature-related files (block and SF) should appear at the beginning (except for directory entries, say, META-INF/). Otherwise, depending on if we open the file as a JarFile or as a JarInputStream, a file can be treated sometimes as signed and sometimes not (JDK-8021788). We need to clarify this in the javadoc.
Precisely, if opened as JarFile, we will support any entries order (JDK-8031572). If opened as JarInputStream, MANIFEST.MF must be at the beginning, and supported signature-related files follow (one exception, META-INF/). Otherwise, the behavior is not defined.
An @implNote should be added to JarInputStream documenting the constraints.