|
Quick Lists
|
|
Bug ID:
|
6712755
|
|
Votes
|
2
|
|
Synopsis
|
jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13
|
|
Category
|
java:classes_security
|
|
Reported Against
|
|
|
Release Fixed
|
5.0u23(b01),
7(b64) (Bug ID:2179109)
|
|
State
|
11-Closed,
Verified,
bug
|
|
Priority:
|
3-Medium
|
|
Related Bugs
|
6543940
,
6901143
|
|
Submit Date
|
10-JUN-2008
|
|
Description
|
FULL PRODUCT VERSION :
1.5.0_14
ADDITIONAL OS VERSION INFORMATION :
SunOS zstv270715 5.10 Generic_127111- customer sun4v sparc SUNW,SPARC-Enterprise-T5220
A DESCRIPTION OF THE PROBLEM :
jarsigner with JDK 1.5.0_14 fails to sign iTextAsian.jar, this means that the jar file cannot be distributed via Java webstart. We verified that the problem is also present in JDK 1.5.0_15. We are staying at 1.5.0_13 until this problem is resolved.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the jarsigner with iTextAsian.jar
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting jarsigner to sign the jar file.
ACTUAL -
Failed to sign the jar file.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use jarsigner from JDK 1.5.0_13
Release Regression From : 5.0u13
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
Posted Date : 2008-06-10 13:54:40.0
|
|
Work Around
|
Remove the empty MANIFEST.MF entry from the jar file and sign again.
|
|
Evaluation
|
I need more information to evaluate this bug report. Please attach at least the following information:
1) The jarsigner command line that you used. Please specify the -verbose option.
2) The output from the jarsigner command, including any errors or exceptions.
3) The iTextAsian.jar that you are signing.
4) Any other information that you think would be useful.
Posted Date : 2009-06-11 16:07:29.0
I looked into this a little bit more and found a problem. I downloaded iTextAsian.jar from http://www.geocities.com/itextpdf/ (also attached to this CR) and signed it using jarsigner from JDK 5u14. When I verified it, I noticed that one of the jar entries was not signed/hashed:
809 Tue Feb 04 16:28:58 EST 2003 com/lowagie/text/pdf/fonts/cjkfonts.properties
jarsigner -verify emits the following warning:
Warning: This jar contains unsigned entries which have not been integrity-checked.
This does not occur if you sign with jarsigner 5u13.
Posted Date : 2009-06-12 17:43:03.0
I've taken a look at the jar file. The problem is that it includes an illegal MANIFEST.MF with only "\r\n" inside, and then bad things happened:
1. jarsigner reads it, thinks it already has a manifest, so hasn't created a new Manifest-Main-Attributes for it.
2. when trying to write the entries to the manifest file one by one, jarsigner *removes the first one*, which it believes is the Manifest-Main-Attributes and uses the remaining parts as named sections for jar entries. Unfortunately, the first one is a jar entry, which later doesn't get signed.
Although the problem is due to the illegal MANIFEST.MF, jarsigner can be enhanced to be more robust.
Posted Date : 2009-06-15 08:18:41.0
Regression introduced by 6543940.
That fix tries to copy the raw header bytes from the old manifest to the new one. When there's no header, it regards the first jar entry section as it. I've fixed the codes to recognize the empty header, which is defined as the bytes before the first empty line. An empty line can be recognized as two consecutive \r\n, or, \r\n at the beginning.
Posted Date : 2009-06-17 08:02:13.0
|
|
Comments
|
PLEASE NOTE: JDK6 is formerly known as Project Mustang
|
|
|
|
