JDK-8312489 : Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version:
    7-pool,8-pool,11.0.20,11-pool,17.0.8,17-pool,20-pool,21-pool 7-pool,8-pool,11.0.20,11-pool,17.0.8,17-pool,20-pool,21-pool
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2023-07-21
  • Updated: 2024-09-12
  • Resolved: 2023-11-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 22 JDK 7 JDK 8 Other
11.0.22-oracleFixed 17.0.10-oracleFixed 21.0.1Fixed 22 b09Fixed 7u411Fixed 8u391Fixed openjdk8u402Fixed
Related Reports
CSR :  
Sub Tasks
JDK-8313215 :  
JDK-8313219 :  
Description
After 8300596  (see https://github.com/openjdk/jdk/commit/ecd0bc1d6205d1d1eca67cbfb9d4deaeb65739aa)  we run into a regression with WhiteSource/Mend jar  from 
https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar

jdk-17.0.8\bin\java -jar wss-unified-agent.jar
Error: An unexpected error occurred while trying to open file wss-unified-agent.jar

jdk-17.0.8\bin\java -Xdiag -jar wss-unified-agent.jar
Error: An unexpected error occurred while trying to open file wss-unified-agent.jar
java.io.IOException: Unsupported size: 8576920 for JarEntry META-INF/MANIFEST.MF. Allowed max size: 8000000 bytes
        at java.base/java.util.jar.JarFile.getBytes(JarFile.java:804)
        at java.base/java.util.jar.JarFile.getManifestFromReference(JarFile.java:419)
        at java.base/java.util.jar.JarFile.getManifest(JarFile.java:406)
        at java.base/sun.launcher.LauncherHelper.getMainClassFromJar(LauncherHelper.java:553)
        at java.base/sun.launcher.LauncherHelper.loadMainClass(LauncherHelper.java:778)
        at java.base/sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:686)

Looks like the 8000000 default is too low, could we increase it e.g. to 12 or 16 million ?
Additionally the exception shown with -Xdiag should maybe contain the jdk.jar.maxSignatureFileSize property that can be used to set an own value.
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/381 Date: 2023-10-11 00:57:35 +0000
12-09-2024

[jdk8u-fix-request] Approval Request from Andrew Hughes Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport had to be adjusted slightly to match the 8u context, but content remains the same.
24-11-2023

Changing to bug as this was breaking at least a couple of widely deployed JARs so technically it should be considered a bug.
19-10-2023

Fix Request [11u] Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport is clean.
05-09-2023

A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/2116 Date: 2023-09-02 18:05:39 +0000
02-09-2023

A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/1703 Date: 2023-08-28 12:43:24 +0000
28-08-2023

Fix Request [17u] Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport is clean.
28-08-2023

Fix Request (21u): Hi, This issue also exists in the JDK21U, so i would like to backport this to jdk21u. If size of signature-related files in a signed JAR is greater than 8000000 bytes, its failing with Unsupported size for JarEntry . Allowed max size= 8000000bytes. This fix increases the default value to 16000000 byts. Its a clean backport and the test pass after change.
22-08-2023

A pull request was submitted for review. URL: https://git.openjdk.org/jdk21u/pull/76 Date: 2023-08-21 11:40:22 +0000
21-08-2023

Changeset: e47a84f2 Author: Hai-May Chao <hchao@openjdk.org> Date: 2023-07-31 15:18:04 +0000 URL: https://git.openjdk.org/jdk/commit/e47a84f23dd2608c6f5748093eefe301fb5bf750
31-07-2023

A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/15072 Date: 2023-07-28 15:34:47 +0000
28-07-2023

Moving to security-libs/java.security component.
21-07-2023

An issue with Mend has been opened, too: https://github.com/whitesource/unified-agent-distribution/issues/48
21-07-2023