Bug ID: 6712755 jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0

6712755 : jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13

Details

Type:	Bug	Submit Date:	2008-06-10
Status:	Closed	Updated Date:	2011-02-16
Project Name:	JDK	Resolved Date:	2009-12-14
Component:	security-libs	OS:	solaris_10
Sub-Component:	java.security	CPU:	sparc
Priority:	P3
Resolution:	Fixed
Affected Versions:	5.0
Fixed Versions:	5.0u23

Related Reports

Backport:	JDK-2179108 - jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13
Backport:	JDK-2186699 - jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13
Backport:	JDK-2179109 - jarsigner fails to sign itextasian.jar since 1.5.0_b14, it works with 1.5.0_13
Relates:	JDK-6543940 - Exception thrown when signing a jarfile in java 1.5
Relates:	JDK-6901143 - TEST_BUG sun/security/tools/jarsigner/emptymanifest.sh use illegal key -strict for jarsigner

Sub Tasks

Description

FULL PRODUCT VERSION :
1.5.0_14

ADDITIONAL OS VERSION INFORMATION :
SunOS zstv270715 5.10 Generic_127111-02 sun4v sparc SUNW,SPARC-Enterprise-T5220


A DESCRIPTION OF THE PROBLEM :
jarsigner with JDK 1.5.0_14 fails to sign iTextAsian.jar, this means that the jar file cannot be distributed via Java webstart. We verified that the problem is also present in JDK 1.5.0_15. We are staying at 1.5.0_13 until this problem is resolved.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the jarsigner with iTextAsian.jar

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting jarsigner to sign the jar file.
ACTUAL -
Failed to sign the jar file.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Use jarsigner from JDK 1.5.0_13

Release Regression From : 5.0u13
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Comments

EVALUATION Regression introduced by 6543940. That fix tries to copy the raw header bytes from the old manifest to the new one. When there's no header, it regards the first jar entry section as it. I've fixed the codes to recognize the empty header, which is defined as the bytes before the first empty line. An empty line can be recognized as two consecutive \r\n, or, \r\n at the beginning.
2009-06-17
EVALUATION I've taken a look at the jar file. The problem is that it includes an illegal MANIFEST.MF with only "\r\n" inside, and then bad things happened: 1. jarsigner reads it, thinks it already has a manifest, so hasn't created a new Manifest-Main-Attributes for it. 2. when trying to write the entries to the manifest file one by one, jarsigner removes the first one, which it believes is the Manifest-Main-Attributes and uses the remaining parts as named sections for jar entries. Unfortunately, the first one is a jar entry, which later doesn't get signed. Although the problem is due to the illegal MANIFEST.MF, jarsigner can be enhanced to be more robust.
2009-06-15
WORK AROUND Remove the empty MANIFEST.MF entry from the jar file and sign again.
2009-06-15
EVALUATION I looked into this a little bit more and found a problem. I downloaded iTextAsian.jar from http://www.geocities.com/itextpdf/ (also attached to this CR) and signed it using jarsigner from JDK 5u14. When I verified it, I noticed that one of the jar entries was not signed/hashed: 809 Tue Feb 04 16:28:58 EST 2003 com/lowagie/text/pdf/fonts/cjkfonts.properties jarsigner -verify emits the following warning: Warning: This jar contains unsigned entries which have not been integrity-checked. This does not occur if you sign with jarsigner 5u13.
2009-06-12
EVALUATION I need more information to evaluate this bug report. Please attach at least the following information: 1) The jarsigner command line that you used. Please specify the -verbose option. 2) The output from the jarsigner command, including any errors or exceptions. 3) The iTextAsian.jar that you are signing. 4) Any other information that you think would be useful.
2009-06-11

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together