You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ant.apache.org by bo...@apache.org on 2018/03/20 11:17:00 UTC
[1/5] ant git commit: add a "link" to existing release notes so we
could find it better
Repository: ant
Updated Branches:
refs/heads/master 14bf21868 -> f64dbfbc2
add a "link" to existing release notes so we could find it better
Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/ea5bb77d
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/ea5bb77d
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/ea5bb77d
Branch: refs/heads/master
Commit: ea5bb77da3b8d9e6a1b8042ff2e4ae3c1065a091
Parents: e06168c
Author: Jan Matèrne <jh...@apache.org>
Authored: Tue Mar 6 11:36:50 2018 +0100
Committer: Jan Matèrne <jh...@apache.org>
Committed: Tue Mar 6 11:39:50 2018 +0100
----------------------------------------------------------------------
ReleaseInstructions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ant/blob/ea5bb77d/ReleaseInstructions
----------------------------------------------------------------------
diff --git a/ReleaseInstructions b/ReleaseInstructions
index 27d4c41..a68dccf 100644
--- a/ReleaseInstructions
+++ b/ReleaseInstructions
@@ -159,7 +159,7 @@ Note: This document was updated in the context of releasing Ant
13. Upload the maven artifacts located under java-repository/org/apache/ant
these artifacts comprise currently for each ant jar of one POM
file, the corresponding jar file and the corresponding GPG
- signatures (x.pom, x.jar, x.pom.asc, x.jar.asc) MD5 and SHA1 are
+ signatures (x.pom, x.jar, x.pom.asc, x.jar.asc) SHA1 are
generated by ivy during the upload
to
[4/5] ant git commit: verifyjar must use -storepass or jarsigner will
not work
Posted by bo...@apache.org.
verifyjar must use -storepass or jarsigner will not work
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/09452579
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/09452579
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/09452579
Branch: refs/heads/master
Commit: 094525796113e8a38dde003e39dae1419d7f248a
Parents: c09ac38
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Mar 20 12:13:57 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Mar 20 12:13:57 2018 +0100
----------------------------------------------------------------------
WHATSNEW | 9 ++++
manual/Tasks/signjar.html | 4 +-
manual/Tasks/verifyjar.html | 8 +++-
.../apache/tools/ant/taskdefs/VerifyJar.java | 46 ++++++++++++++++++++
src/tests/antunit/taskdefs/signjar-test.xml | 9 ++++
5 files changed, 73 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/WHATSNEW
----------------------------------------------------------------------
diff --git a/WHATSNEW b/WHATSNEW
index 6dd00fe..1011201 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -16,6 +16,15 @@ Fixed bugs:
* Fixed NullPointerException when a mappedresource is used in pathconvert
Bugzilla Report 62076
+ * Added a workaround for a bug in the jarsigner tool to <verifyjar>
+ which requires the -storepass command line argument when verifying
+ signatures using -strict together with a PKCS12 keystore. Unlike
+ when signing the jar it will not prompt for the keystore's password
+ and read it from standard input.
+ This means Ant will now pass the keystore's password on the command
+ line when using <verifyjar>, which poses a security risk you should
+ be aware of.
+ Bugzilla Report 62194
Other changes:
--------------
http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/manual/Tasks/signjar.html
----------------------------------------------------------------------
diff --git a/manual/Tasks/signjar.html b/manual/Tasks/signjar.html
index 0f9d778..32315c1 100644
--- a/manual/Tasks/signjar.html
+++ b/manual/Tasks/signjar.html
@@ -66,7 +66,9 @@ and <tt>lazy</tt> is false, the JAR is signed.</li>
</tr>
<tr>
<td valign="top">storepass</td>
- <td valign="top">password for keystore integrity.</td>
+ <td valign="top">password for keystore integrity. Ant will not use
+ the <code>-storepass</code> command line argument but send the
+ password to jarsigner when it prompts for it.</td>
<td valign="top" align="center">Yes.</td>
</tr>
<tr>
http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/manual/Tasks/verifyjar.html
----------------------------------------------------------------------
diff --git a/manual/Tasks/verifyjar.html b/manual/Tasks/verifyjar.html
index 4be2788..886075a 100644
--- a/manual/Tasks/verifyjar.html
+++ b/manual/Tasks/verifyjar.html
@@ -52,8 +52,12 @@ supported
</tr>
<tr>
<td valign="top">storepass</td>
- <td valign="top">password for keystore integrity.</td>
- <td valign="top" align="center">Yes.</td>
+ <td valign="top">password for keystore integrity.
+ Note that
+ jarsigner does not read the password from stdin during
+ verification, so the password must be send via a command line
+ interface and may be visible to other users of the system.</td>
+ <td valign="top" align="center">No.</td>
</tr>
<tr>
<td valign="top">keystore</td>
http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
----------------------------------------------------------------------
diff --git a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index a0003c7..4cbbe2a 100644
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@ -58,6 +58,8 @@ public class VerifyJar extends AbstractJarSignerTask {
/** Error output if there is a failure to verify the jar. */
public static final String ERROR_NO_VERIFY = "Failed to verify ";
+ private String savedStorePass = null;
+
/**
* Ask for certificate information to be printed
* @param certificates if true print certificates.
@@ -100,6 +102,42 @@ public class VerifyJar extends AbstractJarSignerTask {
}
/**
+ * @since 1.9.11
+ */
+ @Override
+ protected void beginExecution() {
+ // when using a PKCS12 keystore jarsigner -verify will not
+ // prompt for the keystore password but will only properly
+ // verify the jar with -strict enabled if the -storepass
+ // parameter is used. Note that the documentation of jarsigner
+ // says -storepass was never required with -verify - this is
+ // wrong.
+ //
+ // See https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
+ //
+ // So if strict is true then we hide storepass from the base
+ // implementation and instead add the -storepass command line
+ // argument
+ if (mustHideStorePass()) {
+ savedStorePass = storepass;
+ setStorepass(null);
+ }
+ super.beginExecution();
+ }
+
+ /**
+ * @since 1.9.11
+ */
+ @Override
+ protected void endExecution() {
+ if (savedStorePass != null) {
+ setStorepass(savedStorePass);
+ savedStorePass = null;
+ }
+ super.endExecution();
+ }
+
+ /**
* verify a JAR.
* @param jar the jar to verify.
* @throws BuildException if the file could not be verified
@@ -112,6 +150,10 @@ public class VerifyJar extends AbstractJarSignerTask {
setCommonOptions(cmd);
bindToKeystore(cmd);
+ if (savedStorePass != null) {
+ addValue(cmd, "-storepass");
+ addValue(cmd, savedStorePass);
+ }
//verify special operations
addValue(cmd, "-verify");
@@ -151,6 +193,10 @@ public class VerifyJar extends AbstractJarSignerTask {
}
}
+ private boolean mustHideStorePass() {
+ return strict && storepass != null;
+ }
+
/**
* we are not thread safe here. Do not use on multiple threads at the same time.
*/
http://git-wip-us.apache.org/repos/asf/ant/blob/09452579/src/tests/antunit/taskdefs/signjar-test.xml
----------------------------------------------------------------------
diff --git a/src/tests/antunit/taskdefs/signjar-test.xml b/src/tests/antunit/taskdefs/signjar-test.xml
index 4d998fb..30671cf 100644
--- a/src/tests/antunit/taskdefs/signjar-test.xml
+++ b/src/tests/antunit/taskdefs/signjar-test.xml
@@ -282,5 +282,14 @@
</au:expectfailure>
</target>
+ <target name="testVerifyJarStrict" depends="basic">
+ <verify-base jar="${signtest.jar}" strict="true"/>
+ </target>
+
+ <target name="testVerifyJarStrictPKCS12" depends="basic-pkcs12"
+ description="https://bz.apache.org/bugzilla/show_bug.cgi?id=62194">
+ <verify-base-pkcs12 jar="${signtest.jar}" strict="true"/>
+ </target>
+
</project>
[5/5] ant git commit: Merge branch '1.9.x'
Posted by bo...@apache.org.
Merge branch '1.9.x'
Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/f64dbfbc
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/f64dbfbc
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/f64dbfbc
Branch: refs/heads/master
Commit: f64dbfbc24ad105cebb83c2591af4e9edb801cf8
Parents: 14bf218 0945257
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Mar 20 12:16:48 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Mar 20 12:16:48 2018 +0100
----------------------------------------------------------------------
WHATSNEW | 10 ++++
manual/Tasks/signjar.html | 4 +-
manual/Tasks/verifyjar.html | 8 ++-
src/etc/testcases/testkeystore.pkcs12 | Bin 0 -> 2945 bytes
.../apache/tools/ant/taskdefs/VerifyJar.java | 50 +++++++++++++++++++
src/tests/antunit/taskdefs/signjar-test.xml | 23 +++++++++
6 files changed, 92 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ant/blob/f64dbfbc/WHATSNEW
----------------------------------------------------------------------
diff --cc WHATSNEW
index 0415592,1011201..abebee6
--- a/WHATSNEW
+++ b/WHATSNEW
@@@ -23,10 -16,16 +23,20 @@@ Fixed bugs
* Fixed NullPointerException when a mappedresource is used in pathconvert
Bugzilla Report 62076
+ * Fixed an issue where a string, when used as a resource collection, within
+ tokens, would be replaced by property values
+ Bugzilla Report 62147
+
+ * Added a workaround for a bug in the jarsigner tool to <verifyjar>
+ which requires the -storepass command line argument when verifying
+ signatures using -strict together with a PKCS12 keystore. Unlike
+ when signing the jar it will not prompt for the keystore's password
+ and read it from standard input.
+ This means Ant will now pass the keystore's password on the command
+ line when using <verifyjar>, which poses a security risk you should
+ be aware of.
+ Bugzilla Report 62194
+
Other changes:
--------------
http://git-wip-us.apache.org/repos/asf/ant/blob/f64dbfbc/manual/Tasks/signjar.html
----------------------------------------------------------------------
diff --cc manual/Tasks/signjar.html
index 53269f3,32315c1..e7e75cc
--- a/manual/Tasks/signjar.html
+++ b/manual/Tasks/signjar.html
@@@ -45,136 -47,144 +45,138 @@@ place.</p
</ul>
<h3>Parameters</h3>
-<table border="1" cellpadding="2" cellspacing="0">
+<table class="attr">
<tr>
- <td valign="top"><b>Attribute</b></td>
- <td valign="top"><b>Description</b></td>
- <td align="center" valign="top"><b>Required</b></td>
+ <th>Attribute</th>
+ <th>Description</th>
+ <th>Required</th>
</tr>
<tr>
- <td valign="top">jar</td>
- <td valign="top">the jar file to sign</td>
- <td valign="top" align="center">Yes, unless nested paths have
- been used.</td>
+ <td>jar</td>
+ <td>the jar file to sign</td>
+ <td>Yes, unless nested paths have been used</td>
</tr>
<tr>
- <td valign="top">alias</td>
- <td valign="top">the alias to sign under</td>
- <td valign="top" align="center">Yes.</td>
+ <td>alias</td>
+ <td>the alias to sign under</td>
+ <td>Yes</td>
</tr>
<tr>
- <td valign="top">storepass</td>
- <td valign="top">password for keystore integrity. Ant will not use
+ <td>storepass</td>
- <td>password for keystore integrity.</td>
++ <td>password for keystore integrity. Ant will not use
+ the <code>-storepass</code> command line argument but send the
+ password to jarsigner when it prompts for it.</td>
- <td valign="top" align="center">Yes.</td>
+ <td>Yes</td>
</tr>
<tr>
- <td valign="top">keystore</td>
- <td valign="top">keystore location</td>
- <td valign="top" align="center">No</td>
+ <td>keystore</td>
+ <td>keystore location</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">storetype</td>
- <td valign="top">keystore type</td>
- <td valign="top" align="center">No</td>
+ <td>storetype</td>
+ <td>keystore type</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">keypass</td>
- <td valign="top">password for private key (if different)</td>
- <td valign="top" align="center">No</td>
+ <td>keypass</td>
+ <td>password for private key (if different)</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">sigfile</td>
- <td valign="top">name of .SF/.DSA file</td>
- <td valign="top" align="center">No</td>
+ <td>sigfile</td>
+ <td>name of <samp>.SF</samp>/<samp>.DSA</samp> file</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">signedjar</td>
- <td valign="top">name of signed JAR file. This can only be set when
- the <tt>jar</tt> attribute is set.</td>
- <td valign="top" align="center">No.</td>
+ <td>signedjar</td>
+ <td>name of signed JAR file. This can only be set when the <var>jar</var> attribute is set.</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">verbose</td>
- <td valign="top">(true | false) verbose output when signing</td>
- <td valign="top" align="center">No; default false</td>
+ <td>verbose</td>
+ <td>(<q>true|false</q>) verbose output when signing</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">strict</td>
- <td valign="top">(true | false) strict checking when signing.<br/><em>since Ant 1.9.1</em>.</td>
- <td valign="top" align="center">No; default false</td>
+ <td>strict</td>
+ <td>(<q>true|false</q>) strict checking when signing.<br/><em>since Ant 1.9.1</em>.</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">internalsf</td>
- <td valign="top">(true | false) include the .SF file inside the signature
-block</td>
- <td valign="top" align="center">No; default false</td>
+ <td>internalsf</td>
+ <td>(<q>true|false</q>) include the <samp>.SF</samp> file inside the signature block</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">sectionsonly</td>
- <td valign="top">(true | false) don't compute hash of entire manifest</td>
- <td valign="top" align="center">No; default false</td>
+ <td>sectionsonly</td>
+ <td>(<q>true|false</q>) don't compute hash of entire manifest</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">lazy</td>
- <td valign="top">flag to control whether the presence of a signature
- file means a JAR is signed. This is only used when the target JAR matches
- the source JAR</td>
- <td valign="top" align="center">No; default false</td>
+ <td>lazy</td>
+ <td>flag to control whether the presence of a signature file means a JAR is signed. This is only
+ used when the target JAR matches the source JAR</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">maxmemory</td>
- <td valign="top">Specifies the maximum memory the jarsigner VM will use. Specified in the
- style of standard java memory specs (e.g. 128m = 128 MBytes)</td>
- <td valign="top" align="center">No</td>
+ <td>maxmemory</td>
+ <td>Specifies the maximum memory the <kbd>jarsigner</kbd> JVM will use. Specified in the style
+ of standard Java memory specs (e.g. <q>128m</q> = 128 MBytes)</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">preservelastmodified</td>
- <td valign="top">Give the signed files the same last modified
- time as the original jar files.</td>
- <td valign="top" align="center">No; default false.</td>
+ <td>preservelastmodified</td>
+ <td>Give the signed files the same last modified time as the original jar files.</td>
+ <td>No; default <q>false</q>.</td>
</tr>
<tr>
- <td valign="top">tsaurl</td>
- <td valign="top">URL for a timestamp authority for timestamped
- JAR files in Java1.5+</td>
- <td valign="top" align="center">No</td>
+ <td>tsaurl</td>
+ <td>URL for a timestamp authority for timestamped JAR files in Java 5+</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">tsacert</td>
- <td valign="top">alias in the keystore for a timestamp authority for
- timestamped JAR files in Java1.5+</td>
- <td valign="top" align="center">No</td>
+ <td>tsacert</td>
+ <td>alias in the keystore for a timestamp authority for timestamped JAR files in Java 5+</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">tsaproxyhost</td>
- <td valign="top">proxy host to be used when connecting to TSA server</td>
- <td valign="top" align="center">No</td>
+ <td>tsaproxyhost</td>
+ <td>proxy host to be used when connecting to TSA server</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">tsaproxyport</td>
- <td valign="top">proxy port to be used when connecting to TSA server</td>
- <td valign="top" align="center">No</td>
+ <td>tsaproxyport</td>
+ <td>proxy port to be used when connecting to TSA server</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">executable</td>
- <td valign="top">Specify a particular <code>jarsigner</code> executable
- to use in place of the default binary (found in the same JDK as
- Apache Ant is running in).<br/>
- Must support the same command line options as the Sun JDK
- jarsigner command.
- <em>since Ant 1.8.0</em>.</td>
- <td align="center" valign="top">No</td>
+ <td>executable</td>
+ <td>Specify a particular <kbd>jarsigner</kbd> executable to use in place of the default binary
+ (found in the same JDK as Apache Ant is running in).<br/>Must support the same command line
+ options as the Sun JDK <kbd>jarsigner</kbd> command. <em>since Ant 1.8.0</em>.</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">force</td>
- <td valign="top">Whether to force signing of the jar file even if
- it doesn't seem to be out of date or already signed.
- <em>since Ant 1.8.0</em>.</td>
- <td align="center" valign="top">No; default false</td>
+ <td>force</td>
+ <td>Whether to force signing of the jar file even if it doesn't seem to be out of date or
+ already signed. <em>since Ant 1.8.0</em>.</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">sigalg</td>
- <td valign="top">name of signature algorithm</td>
- <td valign="top" align="center">No</td>
+ <td>sigalg</td>
+ <td>name of signature algorithm</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">digestalg</td>
- <td valign="top">name of digest algorithm</td>
- <td valign="top" align="center">No</td>
+ <td>digestalg</td>
+ <td>name of digest algorithm</td>
+ <td>No</td>
+ </tr>
+ <tr>
+ <td>tsadigestalg</td>
+ <td>name of TSA digest algorithm. <em>since Ant 1.10.2</em></td>
+ <td>No</td>
</tr>
</table>
<h3>Parameters as nested elements</h3>
http://git-wip-us.apache.org/repos/asf/ant/blob/f64dbfbc/manual/Tasks/verifyjar.html
----------------------------------------------------------------------
diff --cc manual/Tasks/verifyjar.html
index e20c401,886075a..e10d756
--- a/manual/Tasks/verifyjar.html
+++ b/manual/Tasks/verifyjar.html
@@@ -24,101 -24,110 +24,105 @@@
<body>
-<h2><a name="verifyjar">VerifyJar</a></h2>
+<h2 id="verifyjar">VerifyJar</h2>
<h3>Description</h3>
-<p>Verifies JAR files with the <tt>jarsigner</tt> command line tool.
-It will take a named file in the <tt>jar</tt> attribute. Nested paths are also
-supported
-</p>
-
+<p>Verifies JAR files with
+the <a href="https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html"
+target="_top"><kbd>jarsigner</kbd></a> command line tool. It will take a named file in
+the <var>jar</var> attribute. Nested paths are also supported.</p>
<h3>Parameters</h3>
-<table border="1" cellpadding="2" cellspacing="0">
+<table class="attr">
<tr>
- <td valign="top"><b>Attribute</b></td>
- <td valign="top"><b>Description</b></td>
- <td align="center" valign="top"><b>Required</b></td>
+ <th>Attribute</th>
+ <th>Description</th>
+ <th>Required</th>
</tr>
<tr>
- <td valign="top">jar</td>
- <td valign="top">the jar file to verify</td>
- <td valign="top" align="center">Yes, unless nested paths have
- been used.</td>
+ <td>jar</td>
+ <td>the jar file to verify</td>
+ <td>Yes, unless nested paths have been used</td>
</tr>
<tr>
- <td valign="top">alias</td>
- <td valign="top">the alias to verify under</td>
- <td valign="top" align="center">Yes.</td>
+ <td>alias</td>
+ <td>the alias to verify under</td>
+ <td>Yes</td>
</tr>
<tr>
- <td valign="top">storepass</td>
- <td valign="top">password for keystore integrity.
+ <td>storepass</td>
- <td>password for keystore integrity.</td>
- <td>Yes</td>
++ <td>password for keystore integrity.
+ Note that
+ jarsigner does not read the password from stdin during
+ verification, so the password must be send via a command line
+ interface and may be visible to other users of the system.</td>
- <td valign="top" align="center">No.</td>
++ <td>No</td>
</tr>
<tr>
- <td valign="top">keystore</td>
- <td valign="top">keystore location</td>
- <td valign="top" align="center">No</td>
+ <td>keystore</td>
+ <td>keystore location</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">storetype</td>
- <td valign="top">keystore type</td>
- <td valign="top" align="center">No</td>
+ <td>storetype</td>
+ <td>keystore type</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">keypass</td>
- <td valign="top">password for private key (if different)</td>
- <td valign="top" align="center">No</td>
+ <td>keypass</td>
+ <td>password for private key (if different)</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">certificates</td>
- <td valign="top">(true | false) display information about certificates</td>
- <td valign="top" align="center">No; default false</td>
+ <td>certificates</td>
+ <td>(<q>true|false</q>) display information about certificates</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">verbose</td>
- <td valign="top">(true | false) verbose output when verifying</td>
- <td valign="top" align="center">No; default false</td>
+ <td>verbose</td>
+ <td>(<q>true|false</q>) verbose output when verifying</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">strict</td>
- <td valign="top">(true | false) strict checking when verifying.<br/><em>since Ant 1.9.1</em>.</td>
- <td valign="top" align="center">No; default false</td>
+ <td>strict</td>
+ <td>(<q>true|false</q>) strict checking when verifying.<br/><em>since Ant 1.9.1</em>.</td>
+ <td>No; default <q>false</q></td>
</tr>
<tr>
- <td valign="top">maxmemory</td>
- <td valign="top">Specifies the maximum memory the jarsigner VM will use. Specified in the
- style of standard java memory specs (e.g. 128m = 128 MBytes)</td>
- <td valign="top" align="center">No</td>
+ <td>maxmemory</td>
+ <td>Specifies the maximum memory the <kbd>jarsigner</kbd> JVM will use. Specified in the style
+ of standard Java memory specs (e.g. <q>128m</q> = 128 MBytes)</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">executable</td>
- <td valign="top">Specify a particular <code>jarsigner</code> executable
- to use in place of the default binary (found in the same JDK as
- Apache Ant is running in).<br/>
- Must support the same command line options as the Sun JDK
- jarsigner command.
- <em>since Ant 1.8.0</em>.</td>
- <td align="center" valign="top">No</td>
- </tr>
+ <td>executable</td>
+ <td>Specify a particular <kbd>jarsigner</kbd> executable to use in place of the default binary
+ (found in the same JDK as Apache Ant is running in).<br/> Must support the same command line
+ options as the Sun JDK <kbd>jarsigner</kbd> command. <em>since Ant 1.8.0</em>.</td>
+ <td>No</td>
+ </tr>
</table>
<h3>Parameters as nested elements</h3>
-<table border="1" cellpadding="2" cellspacing="0">
+<table class="attr">
<tr>
- <td valign="top"><b>Attribute</b></td>
- <td valign="top"><b>Description</b></td>
- <td align="center" valign="top"><b>Required</b></td>
+ <th>Attribute</th>
+ <th>Description</th>
+ <th>Required</th>
</tr>
<tr>
- <td valign="top">path</td>
- <td valign="top">path of JAR files to verify. <em>since Ant 1.7</em></td>
- <td valign="top" align="center">No</td>
+ <td>path</td>
+ <td>path of JAR files to verify. <em>since Ant 1.7</em></td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">fileset</td>
- <td valign="top">fileset of JAR files to verify. </td>
- <td valign="top" align="center">No</td>
+ <td>fileset</td>
+ <td>fileset of JAR files to verify.</td>
+ <td>No</td>
</tr>
<tr>
- <td valign="top">sysproperty</td>
- <td valign="top">JVM system properties, with the syntax of Ant
- <a href="exec.html#env">environment variables</a> </td>
- <td valign="top" align="center">No, and only one can be supplied</td>
+ <td>sysproperty</td>
+ <td>JVM system properties, with the syntax of Ant <a href="exec.html#env">environment
+ variables</a></td>
+ <td>No, and only one can be supplied</td>
</tr>
</table>
http://git-wip-us.apache.org/repos/asf/ant/blob/f64dbfbc/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
----------------------------------------------------------------------
diff --cc src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index 5f9c8f3,4cbbe2a..adf1bce
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@@ -58,7 -55,11 +58,9 @@@ public class VerifyJar extends Abstract
*/
private boolean certificates = false;
private BufferingOutputFilter outputCache = new BufferingOutputFilter();
- /** Error output if there is a failure to verify the jar. */
- public static final String ERROR_NO_VERIFY = "Failed to verify ";
+ private String savedStorePass = null;
+
/**
* Ask for certificate information to be printed
* @param certificates if true print certificates.
@@@ -100,6 -101,43 +102,42 @@@
}
/**
- * @since 1.9.11
++ * @since 1.10.3
+ */
+ @Override
+ protected void beginExecution() {
+ // when using a PKCS12 keystore jarsigner -verify will not
+ // prompt for the keystore password but will only properly
+ // verify the jar with -strict enabled if the -storepass
+ // parameter is used. Note that the documentation of jarsigner
+ // says -storepass was never required with -verify - this is
+ // wrong.
+ //
+ // See https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
+ //
+ // So if strict is true then we hide storepass from the base
+ // implementation and instead add the -storepass command line
+ // argument
+ if (mustHideStorePass()) {
+ savedStorePass = storepass;
+ setStorepass(null);
+ }
+ super.beginExecution();
+ }
+
+ /**
- * @since 1.9.11
++ * @since 1.10.3
+ */
+ @Override
+ protected void endExecution() {
+ if (savedStorePass != null) {
+ setStorepass(savedStorePass);
+ savedStorePass = null;
+ }
+ super.endExecution();
+ }
+
+ /**
* verify a JAR.
* @param jar the jar to verify.
* @throws BuildException if the file could not be verified
[3/5] ant git commit: add the alias in verifyjar if specified
Posted by bo...@apache.org.
add the alias in verifyjar if specified
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/c09ac387
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/c09ac387
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/c09ac387
Branch: refs/heads/master
Commit: c09ac387998699d7f270e89c1165820c4230a72c
Parents: f2dd414
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Mar 20 11:56:52 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Mar 20 11:56:52 2018 +0100
----------------------------------------------------------------------
src/main/org/apache/tools/ant/taskdefs/VerifyJar.java | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ant/blob/c09ac387/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
----------------------------------------------------------------------
diff --git a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index 4ab2142..a0003c7 100644
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@ -123,6 +123,10 @@ public class VerifyJar extends AbstractJarSignerTask {
//JAR is required
addValue(cmd, jar.getPath());
+ if (alias != null) {
+ addValue(cmd, alias);
+ }
+
log("Verifying JAR: " + jar.getAbsolutePath());
outputCache.clear();
BuildException ex = null;
[2/5] ant git commit: add a PKCS12 test keystore
Posted by bo...@apache.org.
add a PKCS12 test keystore
Project: http://git-wip-us.apache.org/repos/asf/ant/repo
Commit: http://git-wip-us.apache.org/repos/asf/ant/commit/f2dd4149
Tree: http://git-wip-us.apache.org/repos/asf/ant/tree/f2dd4149
Diff: http://git-wip-us.apache.org/repos/asf/ant/diff/f2dd4149
Branch: refs/heads/master
Commit: f2dd4149dc0f09563db980b9e4afb3ac4cfb8576
Parents: ea5bb77
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Mar 20 11:56:29 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Mar 20 11:56:29 2018 +0100
----------------------------------------------------------------------
src/etc/testcases/testkeystore.pkcs12 | Bin 0 -> 2945 bytes
src/tests/antunit/taskdefs/signjar-test.xml | 14 ++++++++++++++
2 files changed, 14 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ant/blob/f2dd4149/src/etc/testcases/testkeystore.pkcs12
----------------------------------------------------------------------
diff --git a/src/etc/testcases/testkeystore.pkcs12 b/src/etc/testcases/testkeystore.pkcs12
new file mode 100644
index 0000000..c0016c5
Binary files /dev/null and b/src/etc/testcases/testkeystore.pkcs12 differ
http://git-wip-us.apache.org/repos/asf/ant/blob/f2dd4149/src/tests/antunit/taskdefs/signjar-test.xml
----------------------------------------------------------------------
diff --git a/src/tests/antunit/taskdefs/signjar-test.xml b/src/tests/antunit/taskdefs/signjar-test.xml
index 0f03bc5..4d998fb 100644
--- a/src/tests/antunit/taskdefs/signjar-test.xml
+++ b/src/tests/antunit/taskdefs/signjar-test.xml
@@ -25,6 +25,7 @@
<property name="signtest.jar" location="${sign.dir}/signtest.jar" />
<property name="subdirsigntest.jar" location="${subdir}/signtest.jar" />
<property name="testkeystore" location="../../../etc/testcases/testkeystore" />
+ <property name="testkeystore.pkcs12" location="${testkeystore}.pkcs12" />
<macrodef name="assertSigned">
<attribute name="jar" default="${signtest.jar}" />
@@ -43,6 +44,11 @@
<verifyjar keystore="${testkeystore}" storepass="apacheant" />
</presetdef>
+ <presetdef name="verify-base-pkcs12">
+ <verifyjar keystore="${testkeystore.pkcs12}" storepass="apacheant"
+ storetype="pkcs12" alias="testonly"/>
+ </presetdef>
+
<presetdef name="sign">
<sign-base jar="${signtest.jar}" />
</presetdef>
@@ -60,6 +66,10 @@
<sign />
</target>
+ <target name="basic-pkcs12" depends="jar">
+ <sign keystore="${testkeystore.pkcs12}" storetype="pkcs12" strict="true"/>
+ </target>
+
<target name="testBasic" depends="basic">
<assertSigned />
</target>
@@ -232,6 +242,10 @@
<verify-base jar="${signtest.jar}" />
</target>
+ <target name="testVerifyJarPKCS12" depends="basic-pkcs12">
+ <verify-base-pkcs12 jar="${signtest.jar}" />
+ </target>
+
<target name="testVerifyJarCertificates" depends="basic">
<verify-base jar="${signtest.jar}" certificates="true" verbose="true" />
</target>