You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ant.apache.org by bo...@apache.org on 2018/03/20 11:14:32 UTC

[3/3] ant git commit: verifyjar must use -storepass or jarsigner will not work

verifyjar must use -storepass or jarsigner will not work

https://bz.apache.org/bugzilla/show_bug.cgi?id=62194


Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/09452579
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/09452579
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/09452579

Branch: refs/heads/1.9.x
Commit: 094525796113e8a38dde003e39dae1419d7f248a
Parents: c09ac38
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Mar 20 12:13:57 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Mar 20 12:13:57 2018 +0100

----------------------------------------------------------------------
 WHATSNEW                                        |  9 ++++
 manual/Tasks/signjar.html                       |  4 +-
 manual/Tasks/verifyjar.html                     |  8 +++-
 .../apache/tools/ant/taskdefs/VerifyJar.java    | 46 ++++++++++++++++++++
 src/tests/antunit/taskdefs/signjar-test.xml     |  9 ++++
 5 files changed, 73 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/WHATSNEW
----------------------------------------------------------------------
diff --git a/WHATSNEW b/WHATSNEW
index 6dd00fe..1011201 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -16,6 +16,15 @@ Fixed bugs:
  * Fixed NullPointerException when a mappedresource is used in pathconvert
    Bugzilla Report 62076
 
+ * Added a workaround for a bug in the jarsigner tool to <verifyjar>
+   which requires the -storepass command line argument when verifying
+   signatures using -strict together with a PKCS12 keystore. Unlike
+   when signing the jar it will not prompt for the keystore's password
+   and read it from standard input.
+   This means Ant will now pass the keystore's password on the command
+   line when using <verifyjar>, which poses a security risk you should
+   be aware of.
+   Bugzilla Report 62194
 
 Other changes:
 --------------

http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/manual/Tasks/signjar.html
----------------------------------------------------------------------
diff --git a/manual/Tasks/signjar.html b/manual/Tasks/signjar.html
index 0f9d778..32315c1 100644
--- a/manual/Tasks/signjar.html
+++ b/manual/Tasks/signjar.html
@@ -66,7 +66,9 @@ and <tt>lazy</tt> is false, the JAR is signed.</li>
   </tr>
   <tr>
     <td valign="top">storepass</td>
-    <td valign="top">password for keystore integrity.</td>
+    <td valign="top">password for keystore integrity. Ant will not use
+    the <code>-storepass</code> command line argument but send the
+    password to jarsigner when it prompts for it.</td>
     <td valign="top" align="center">Yes.</td>
   </tr>
   <tr>

http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/manual/Tasks/verifyjar.html
----------------------------------------------------------------------
diff --git a/manual/Tasks/verifyjar.html b/manual/Tasks/verifyjar.html
index 4be2788..886075a 100644
--- a/manual/Tasks/verifyjar.html
+++ b/manual/Tasks/verifyjar.html
@@ -52,8 +52,12 @@ supported
   </tr>
   <tr>
     <td valign="top">storepass</td>
-    <td valign="top">password for keystore integrity.</td>
-    <td valign="top" align="center">Yes.</td>
+    <td valign="top">password for keystore integrity.
+    Note that
+    jarsigner does not read the password from stdin during
+    verification, so the password must be send via a command line
+    interface and may be visible to other users of the system.</td>
+    <td valign="top" align="center">No.</td>
   </tr>
   <tr>
     <td valign="top">keystore</td>

http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
----------------------------------------------------------------------
diff --git a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index a0003c7..4cbbe2a 100644
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@ -58,6 +58,8 @@ public class VerifyJar extends AbstractJarSignerTask {
     /** Error output if there is a failure to verify the jar. */
     public static final String ERROR_NO_VERIFY = "Failed to verify ";
 
+    private String savedStorePass = null;
+
     /**
      * Ask for certificate information to be printed
      * @param certificates if true print certificates.
@@ -100,6 +102,42 @@ public class VerifyJar extends AbstractJarSignerTask {
     }
 
     /**
+     * @since 1.9.11
+     */
+    @Override
+    protected void beginExecution() {
+        // when using a PKCS12 keystore jarsigner -verify will not
+        // prompt for the keystore password but will only properly
+        // verify the jar with -strict enabled if the -storepass
+        // parameter is used. Note that the documentation of jarsigner
+        // says -storepass was never required with -verify - this is
+        // wrong.
+        //
+        // See https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
+        //
+        // So if strict is true then we hide storepass from the base
+        // implementation and instead add the -storepass command line
+        // argument
+        if (mustHideStorePass()) {
+            savedStorePass = storepass;
+            setStorepass(null);
+        }
+        super.beginExecution();
+    }
+
+    /**
+     * @since 1.9.11
+     */
+    @Override
+    protected void endExecution() {
+        if (savedStorePass != null) {
+            setStorepass(savedStorePass);
+            savedStorePass = null;
+        }
+        super.endExecution();
+    }
+
+    /**
      * verify a JAR.
      * @param jar the jar to verify.
      * @throws BuildException if the file could not be verified
@@ -112,6 +150,10 @@ public class VerifyJar extends AbstractJarSignerTask {
 
         setCommonOptions(cmd);
         bindToKeystore(cmd);
+        if (savedStorePass != null) {
+            addValue(cmd, "-storepass");
+            addValue(cmd, savedStorePass);
+        }
 
         //verify special operations
         addValue(cmd, "-verify");
@@ -151,6 +193,10 @@ public class VerifyJar extends AbstractJarSignerTask {
         }
     }
 
+    private boolean mustHideStorePass() {
+        return strict && storepass != null;
+    }
+
     /**
      * we are not thread safe here. Do not use on multiple threads at the same time.
      */

http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/src/tests/antunit/taskdefs/signjar-test.xml
----------------------------------------------------------------------
diff --git a/src/tests/antunit/taskdefs/signjar-test.xml b/src/tests/antunit/taskdefs/signjar-test.xml
index 4d998fb..30671cf 100644
--- a/src/tests/antunit/taskdefs/signjar-test.xml
+++ b/src/tests/antunit/taskdefs/signjar-test.xml
@@ -282,5 +282,14 @@
     </au:expectfailure>
   </target>
 
+  <target name="testVerifyJarStrict" depends="basic">
+    <verify-base jar="${signtest.jar}" strict="true"/>
+  </target>
+
+  <target name="testVerifyJarStrictPKCS12" depends="basic-pkcs12"
+          description="https://bz.apache.org/bugzilla/show_bug.cgi?id=62194">
+    <verify-base-pkcs12 jar="${signtest.jar}" strict="true"/>
+  </target>
+
 </project>