Bug ID: JDK-8312489 Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

JDK-8312489 : Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version:
7-pool,8-pool,11.0.20,11-pool,17.0.8,17-pool,20-pool,21-pool 7-pool,8-pool,11.0.20,11-pool,17.0.8,17-pool,20-pool,21-pool

Priority: P3
Status: Closed
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2023-07-21
Updated: 2024-02-14
Resolved: 2023-11-09

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 17	JDK 21	JDK 22	JDK 7	JDK 8	Other
11.0.22-oracleFixed	17.0.10-oracleFixed	21.0.1Fixed	22 b09Fixed	7u411Fixed	8u391Fixed	openjdk8u402Fixed

Related Reports

CSR :

JDK-8313216 - Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

Sub Tasks

JDK-8313215 :	Release Note: Increase Default Value of the System Property `jdk.jar.maxSignatureFileSize` - Resolved
JDK-8313219 :	Document system property jdk.jar.maxSignatureFileSize in the security guides - Resolved

Description

After 8300596  (see https://github.com/openjdk/jdk/commit/ecd0bc1d6205d1d1eca67cbfb9d4deaeb65739aa)  we run into a regression with WhiteSource/Mend jar  from 
https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar

jdk-17.0.8\bin\java -jar wss-unified-agent.jar
Error: An unexpected error occurred while trying to open file wss-unified-agent.jar

jdk-17.0.8\bin\java -Xdiag -jar wss-unified-agent.jar
Error: An unexpected error occurred while trying to open file wss-unified-agent.jar
java.io.IOException: Unsupported size: 8576920 for JarEntry META-INF/MANIFEST.MF. Allowed max size: 8000000 bytes
        at java.base/java.util.jar.JarFile.getBytes(JarFile.java:804)
        at java.base/java.util.jar.JarFile.getManifestFromReference(JarFile.java:419)
        at java.base/java.util.jar.JarFile.getManifest(JarFile.java:406)
        at java.base/sun.launcher.LauncherHelper.getMainClassFromJar(LauncherHelper.java:553)
        at java.base/sun.launcher.LauncherHelper.loadMainClass(LauncherHelper.java:778)
        at java.base/sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:686)

Looks like the 8000000 default is too low, could we increase it e.g. to 12 or 16 million ?
Additionally the exception shown with -Xdiag should maybe contain the jdk.jar.maxSignatureFileSize property that can be used to set an own value.

Comments

[jdk8u-fix-request] Approval Request from Andrew Hughes Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport had to be adjusted slightly to match the 8u context, but content remains the same.
24-11-2023
Changing to bug as this was breaking at least a couple of widely deployed JARs so technically it should be considered a bug.
19-10-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/381 Date: 2023-10-11 00:57:35 +0000
11-10-2023
Fix Request [11u] Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport is clean.
05-09-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/2116 Date: 2023-09-02 18:05:39 +0000
02-09-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/1703 Date: 2023-08-28 12:43:24 +0000
28-08-2023
Fix Request [17u] Follow-up to a July 2023 security fix which introduced a default maximum signature size of 8MB, that turned out to be a little too low in real world usage. This fix just doubles the default to 16MB. Backport is clean.
28-08-2023
Fix Request (21u): Hi, This issue also exists in the JDK21U, so i would like to backport this to jdk21u. If size of signature-related files in a signed JAR is greater than 8000000 bytes, its failing with Unsupported size for JarEntry . Allowed max size= 8000000bytes. This fix increases the default value to 16000000 byts. Its a clean backport and the test pass after change.
22-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk21u/pull/76 Date: 2023-08-21 11:40:22 +0000
21-08-2023
Changeset: e47a84f2 Author: Hai-May Chao <hchao@openjdk.org> Date: 2023-07-31 15:18:04 +0000 URL: https://git.openjdk.org/jdk/commit/e47a84f23dd2608c6f5748093eefe301fb5bf750
31-07-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/15072 Date: 2023-07-28 15:34:47 +0000
28-07-2023
Moving to security-libs/java.security component.
21-07-2023
An issue with Mend has been opened, too: https://github.com/whitesource/unified-agent-distribution/issues/48
21-07-2023