From user-return-73459-archive-asf-public=cust-asf.ponee.io@ant.apache.org Fri Mar 16 21:25:07 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 91E5F180608 for ; Fri, 16 Mar 2018 21:25:06 +0100 (CET) Received: (qmail 20351 invoked by uid 500); 16 Mar 2018 20:25:05 -0000 Mailing-List: contact user-help@ant.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Ant Users List" Reply-To: "Ant Users List" Delivered-To: mailing list user@ant.apache.org Received: (qmail 20251 invoked by uid 99); 16 Mar 2018 20:25:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Mar 2018 20:25:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2905F1A0627 for ; Fri, 16 Mar 2018 20:25:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id ezu6eDexyFss for ; Fri, 16 Mar 2018 20:25:02 +0000 (UTC) Received: from mail-ot0-f174.google.com (mail-ot0-f174.google.com [74.125.82.174]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 8835D5F238 for ; Fri, 16 Mar 2018 20:25:02 +0000 (UTC) Received: by mail-ot0-f174.google.com with SMTP id q5-v6so965127oth.12 for ; Fri, 16 Mar 2018 13:25:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=jbx1KClv2+rpYXG/gAk5/HWJEUM+WzqdB8ciGSURkYc=; b=AB+mEwlI/+Tc8OL3hi6Rj09hlCYCSiw3/CFIH6T1XBrR0flN/PLO7dolfZVj7JB/QG haJSOGRLx8TB6ddcxnVoKuo1REPW5m+B+/+yW7rEAqQl/+78vBFjfwAVXA8iey3lPRzQ W7sUZG2CXalxRpLIPCK0TwyLCI+kEgWqumCG5QuLBHzDxcqkMbjEHZsVOUzxf7aHUajD aP72pyMlKdzXbvqc1i9dIhOMIdfwAYOKawGoFzJ9Jr12a0ceG8UZgHJJ9hclrrAiUfbu bQnZrtRl4Sf3f+4IAR09/wyqrd58c5dK4M6qfQ41Szx0RHIAnlZsgBARUJHL+/FyqBH+ 1SWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jbx1KClv2+rpYXG/gAk5/HWJEUM+WzqdB8ciGSURkYc=; b=csEDsVF3EFE4iN4Ug++wZ5RghTzMluZDZ4/NtOF5UuQzPqYCBpdQnH5yVMIuaPgigM Rw9+p7krgTUj2nWPkxG8p3sJqE8gCmvMzM87VEA8dlitbn1l1kYcFk8Gc8T4LWL/JRc8 UmB0bzGvze1KXb4BftXtCDK4mWZV8IPbwtcpKATv2Sxk2iKyda6tViU3mznRiO1U6BeU ih4Rx65aVw/6jXhsk4aODUGmR2FHia//Tqi0obIaO9asUnLX+N4Ff7Q5OcemhV3mrpbw 6nPT4v4h0ReVJy1gAnzUwWpEYt9dTpFjywAOqZnWJXzgS3PStIAjMW4lhRXrnYpU+BoU t5cg== X-Gm-Message-State: AElRT7F/82Dbstt29O5F5CoOoF+rZBvAO5JRojz7ZOt8ely0BbAq5DfW MWLpvv3ZDvya1YeZXbOVmFw0EzVGcmWwG/a4Y+qlNA== X-Google-Smtp-Source: AG47ELvRfzQA6sdBF2t2fCYsGdN4g3ihF8cV1ZV8vk+Y6/Cg6WateLuO1caJ1aH1q4wre4j1d0AawEVD9ermwuuwA3k= X-Received: by 2002:a9d:2daa:: with SMTP id g39-v6mr1953777otb.83.1521231901487; Fri, 16 Mar 2018 13:25:01 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:29cd:0:0:0:0:0 with HTTP; Fri, 16 Mar 2018 13:25:00 -0700 (PDT) From: Phil Edwards Date: Fri, 16 Mar 2018 16:25:00 -0400 Message-ID: Subject: apparently not passing keystore password along To: user@ant.apache.org Content-Type: text/plain; charset="UTF-8" We're using 1.10.1 to build and sign an executable JAR file. All of that has been working fine for a while now. Out of paranoia, we've been asked to run the task to our post-build "quick check that this isn't gratuitously broken" target. (Other targets do more extensive testing including, you know, running the thing in a paranoid launcher.) We mentioned the concerns that had also been raised way back when bug #27596 was opened, in that it's not meant to check complete chain of validity, merely that the JAR isn't going to crash and burn when loaded. We figured fine, go ahead and run , as long as we continue to do the rest of the testing, more can't hurt. The task is always concluding with [verifyjar] jar verified, with signer errors. [verifyjar] [verifyjar] Error: [verifyjar] This jar contains signed entries that are not signed by alias in this keystore. BUILD FAILED the\path\to\the\build.xml:444: jarsigner returned: 32 at org.apache.tools.ant.taskdefs.ExecTask.runExecute(ExecTask.java:645) at org.apache.tools.ant.taskdefs.ExecTask.runExec(ExecTask.java:670) at org.apache.tools.ant.taskdefs.ExecTask.execute(ExecTask.java:496) at org.apache.tools.ant.taskdefs.VerifyJar.verifyOneJar(VerifyJar.java:130) at org.apache.tools.ant.taskdefs.VerifyJar.execute(VerifyJar.java:93) ...dozen more lines of org.apache.tools... which doesn't make sense given the rest of the setup. Namely: 1) The JAR is being signed with the same arguments to its task: works fine. 2) We can run the_jar_file.jar and it's properly verified and loaded. And we can run jarsigner -verify -storetype pkcs12 -keystore the_keystore.p12 \ -storepass yup_its_in_the_build_file -strict -certs -verbose \ the_jar_file.jar signing_alias and everything is fine, along with seeing 'smk' flags printed for each file in the JAR listing. 3) But running only prints 'sm' flags for each file before giving the error above. 4) Running ant with -d, we're seeing [verifyjar] Verifying JAR: the_jar_file.jar [verifyjar] Current OS is Windows 7 [verifyjar] Using input string [verifyjar] Executing 'C:\Java\x64\jdk-9.0.4\bin\jarsigner.exe' with arguments: [verifyjar] '-strict' [verifyjar] '-keystore' [verifyjar] 'full\path\to\the_keystore.p12' [verifyjar] '-storetype' [verifyjar] 'pkcs12' [verifyjar] '-verify' [verifyjar] '-certs' [verifyjar] 'path\to\the_jar_file.jar' [verifyjar] [verifyjar] The ' characters around the executable and arguments are [verifyjar] not part of the command. Execute:Java13CommandLauncher: Executing 'C:\Java\x64\jdk-9.0.4\bin\jarsigner.exe' with arguments: '-strict' '-keystore' 'full\path\to\the_keystore.p12' '-storetype' 'pkcs12' '-verify' '-certs' 'path\to\the_jar_file.jar' Note that the "storepass" and "alias" attributes have not been passed along. Taking the successful command-line invocation of jarsigner from (2) and removing those two arguments causes the same error. And finally, just to be certain that the output from -d is actually what's happening (yah, they're very paranoid about tools here; fifty times bitten, twice shy), I checked the current Git tree, and the command sequences built up in src/main/org/apache/tools/ant/taskdefs/AbstractJarSignerTask.java src/main/org/apache/tools/ant/taskdefs/SignJar.java src/main/org/apache/tools/ant/taskdefs/VerifyJar.java confirm all this. First, that the "alias" attribute is not being included in the command for the task. It's not required to check that the JAR is signed, but it's required to test whether the JAR has been signed by the cert we "think" (know) has been used. Second, the storepass is a little tricker. Ant doesn't give "-storepass your_password" on its command line for security reasons, but instead sets up a redirection and feeds the password on jarsigner's stdin. However, that only helps when jarsigner actually reads a password from stdin, and from looking at the source of the OpenJDK reference implementation jdk/src/share/classes/sun/security/tools/jarsigner/Main.java it's clear that -verify turns off keystore password prompting. (See its loadKeyStore() arguments and how they're passed.) Granted that the usefulness of jarsigner and the task is debatable, it should still actually do what it claims to do. :-) I feel not passing these two arguments is clearly a bug, but that's something the maintainers can decide. In the meantime, I'd like to find a workaround. I had been hoping we could sneak the "-storepass" argument through somehow, perhaps using the task's , but looking at the jarsigner/Main.java source it doesn't look for any system properties at all, let alone for the keystore password. Phil --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@ant.apache.org For additional commands, e-mail: user-help@ant.apache.org