ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From T E Schmitz <mail...@numerixtechnology.de>
Subject Re: [signjar] prevent double signing
Date Thu, 04 Nov 2004 17:48:34 GMT
Hello again,

Stefan Bodewig wrote:

> On Thu, 4 Nov 2004, Ivan Ivanov <rambiusparkisanius@yahoo.com> wrote:
> 
> A signed jar contains the signature in a file named ALIAS.SF (ALIAS is
> a placeholder here) inside of the META-INF directory.  All the code in
> signjar does is checking for this file.
> 
> It doesn not check whether the file contains anything useful or the
> signature is valid.

> Should have been in there for longer.  Let's see
> <http://cvs.apache.org/viewcvs.cgi/ant/src/main/org/apache/tools/ant/taskdefs/SignJar.java?r1=1.7&r2=1.8>
> has been added for Ant 1.4.


I had a brief look at the source code of isSigned(). It looks to me as
though the method looks for a specific .SF file if alias is set (is this
the alias passed to the signjar task?).

  if (null == alias) {
<snip>
  } else {
  return jarFile.getEntry(SIG_START + alias.toUpperCase()
      + SIG_END) != null;

And why the hell toUpperCase()?
The jars signed by Sun contain a mixed case SF file (Sun_micr.sf). The
ones I signed with the signjar task produce a mixed case SF file, too.
In fact, in both cases the SF extension is *lowercase* while SIG_END is
uppercase.

Also, it looks to me as though isSigned() is always looking for
META-INF/<alias>.SF. Or is the alias not mandatory?

PS: this is not meant to be a criticism, but it would be good if the 
documentation explained explicitly whether the lazy option checks if the 
jar is signed with any signature or with the signature about to be added.

-- 


Regards/Gruß,

Tarlika


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message