JDK-8252517 : Symlinks attributes not preserved when using jarsigner on zip files
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool,16
  • Submitted: 2020-08-28
  • Updated: 2020-09-04
  • Resolved: 2020-09-04
Related Reports
CSR :  
JDK-8250968 - Symlinks attributes not preserved when using jarsigner on zip files
Description
Summary
-------

Have the jarsigner tool retain symbolic link attributes already in place during signing operations.

Problem
-------
Following on from work already done via https://bugs.openjdk.java.net/browse/JDK-8218021

The POSIX file permission attribute values are stored in 12 of the bits allocated to the external file attributes field. 4 extra bits store information such as symlink information. 

Although there is no explicit definition in the Zip specification about the canonical way to store these attributes, there exists a common sense amongst implementors of Zip tooling serving as a de-facto standard, leveraging Zip's CEN header fields. Support for symbolic links is based on the work in info-zip implementation which is available as open source: http://infozip.sourceforge.net/

When jarsigner is used to sign a jar/zip file, a new zip is cloned and replaces the original file once signed. Until this enhancement, jarsigner ignores some of the file attribute values stored in the file being signed and resets them to '0' in the newly signed file. Files created from the jar tool don't store symbolic link information and rather place a direct reference to the file instead. The issue mainly affects files created by the zip tool implementation. The info-zip project provides a zipinfo command. Ideally, jarsigner should not be removing such zipfile attributes when signing a zipfile.

Solution
--------

Make jarsigner 'symbolic link' attributes aware. If such attributes are present in a file being signed, preserve them. 

The existing warning introduced in JDK-8218021 is expanded to include symbolic link reference. The warning will be emitted from the jarsigner tool when signing and verifying signed files that contain symbolic link attributes. The warning will indicate that such attribute values are not used during the file verification process. The warning printed will be: "POSIX file permission and/or symlink attributes detected. Note that these attributes are unsigned and not protected by the signature."


Specification
-------------

A JDK implementation specific behavioural change to have jarsigner preserve symbolic link attributes, when present. This attribute stored with any entry in the original jar/zip resource will be saved in the newly signed jar/zip file.
Comments
Moving to Approved. Is there any additional extra information, commonly found in 3rd party zip files, that should receive similar treatment?
04-09-2020
Signing regular ZIP files with `jarsigner` is an unusual use-case but what is proposed looks okay as it would be surprising if signing were to silently drop attributes. Also emitting a warning for this case make sense too.
31-08-2020