ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: complex signing logic in signjar
Date Tue, 22 Mar 2005 15:21:29 GMT
Steve Loughran wrote:
> I am reworking signjar to do filesets with dest dirs, and the dependency 
> logic is causing trouble:
> 
>     protected boolean isUpToDate(File jarFile, File signedjarFile) {
>         if (null == jarFile) {
>             return false;
>         }
> 
>         if (null != signedjarFile) {
> 
>             if (!jarFile.exists()) {
>               return false;
>             }
>             if (!signedjarFile.exists()) {
>               return false;
>             }
>             if (jarFile.equals(signedjarFile)) {
>               return false;
>             }
>             if (FILE_UTILS.isUpToDate(jarFile, signedjarFile)) {
>                 return true;
>             }
>         } else {
>             if (lazy) {
>                 return isSigned(jarFile);
>             }
>         }
> 
>         return false;
>     }
> 
> 
> 1. the lazy flag is only used if the signedJarfile is empty; that is, we 
> only compare ourself.
>     if you had  <signjar jar="foo.jar" signedjar="foo.jar" /> the check 
> would not take place.
> 
> 2. but it would engage when checking filesets, because they always run 
> with signedJarFile==null
> 
> 3. and there is no check that the jar is signed by who is actually 
> signing the JAR now.
> 
> Why dont we do an isSigned check whenever the dest jar exists?

No, it makes sense. If a dest jar exists, we dont care if it is signed 
or not, only if it is older than the source.

when looking at ourselves, timestamps match, so we check then to see if 
we are signed; it is the only logic left.

I'm changing to the following rules

-no source file: out of date
-source==dest: false or check signature
-else: check timestamp

This seems a lot simpler. The big change is now we explicitly look at 
the name of the dest file to decide whether to do isSigned() checking

     protected boolean isUpToDate(File jarFile, File signedjarFile) {
         if (null == jarFile && !jarFile.exists()) {
             //these are pathological case, but retained in case somebody
             //subclassed us.
             return false;
         }

         //we normally compare destination with source
         File destFile = signedjarFile;
         if(destFile==null) {
             //but if no dest is specified, compare source to source
             destFile=jarFile;
         }

         //if, by any means, the destfile and source match,
         if (jarFile.equals(destFile)) {
             if (lazy) {
                 //we check the presence of signatures on lazy signing
                 return isSigned(jarFile);
             }
             //unsigned or non-lazy self signings are always false
             return false;
         }

         //if they are different, the timestamps are used
         return FILE_UTILS.isUpToDate(jarFile, destFile);
     }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message