JDK-8315215 : Adding a manifest to an apk file corrupts the CEN header
  • Type: Bug
  • Component: tools
  • Sub-Component: jar
  • Affected Version: 11.0.20
  • Priority: P3
  • Status: New
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2023-08-28
  • Updated: 2023-08-29
Related Reports
Relates :  
JDK-8313765 - Invalid CEN header (invalid zip64 extra data field size)
Description
A DESCRIPTION OF THE PROBLEM :
When adding a manifest to an apk file using the `jar` tool, the CEN header gets corrupted.

Since Java 11.0.20 `jarsigner` now does extra validation of ZIP64 extra fields, which makes it easy to see that `jarsigner` can open the original apk file and verify it. However, after adding a manifest to the apk with `jar`, `jarsigner` now fails with "jarsigner: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)".

This is of course not an issue in the `jarsigner` tool, but in the `jar` tool.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Download https://gist.github.com/tyilo/1d81657461267f2bc21e6a78cd026e70/raw/4584fa37b88246115a9084a30c447791357cb891/app-release-unsigned.apk (This file was created by building a release APK of a new project using Android Studio):
```
$ curl -OL https://gist.github.com/tyilo/1d81657461267f2bc21e6a78cd026e70/raw/4584fa37b88246115a9084a30c447791357cb891/app-release-unsigned.apk
```

Verify that the file is valid zip file according to `jarsigner`:
```
$ jarsigner -verify app-release-unsigned.apk

no manifest.

jar is unsigned.
```

Add a manifest file to the `apk` with `jar`:
```
$ printf 'Manifest-Version: 1.0\nFoo: Bar\n' > manifest.mf
$ jar umvf manifest.mf app-release-unsigned.apk
updated manifest
```

See that `jarsigner` now can't parse the file:
```
$ jarsigner -verify app-release-unsigned.apk
jarsigner: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)
```

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Adding a manifest to a jar file with `jar` shouldn't corrupt the CEN header.

FREQUENCY : always
Comments
This looks like a dup of JDK-8313765 where the validation has been relaxed for unusual extra fields added by some tools.
29-08-2023
It would be useful to know if this duplicates with JDK 22 b11 or newer to see if it duplicates after the changes in JDK-8313765. Also useful to know if this duplicates with -J-Djdk.util.zip.disableZip64ExtraFieldValidation=true.
29-08-2023
The issue is not reproducible with JDK 11.0.17. But with JDK 11.0.20+9, the issue is reproducible: PS C:\Downloads> C:\jdk\jdk-11.0.20+9_windows-x64_bin\jdk-11.0.20\bin\jarsigner -verify app-release-unsigned.apk jarsigner: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size) This is a regression issue. The issue is not reproducible with JDK 22b11.
29-08-2023