You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ant.apache.org by bu...@apache.org on 2018/03/19 21:11:28 UTC
[Bug 62194] New: verifyjar task does not pass 'alias' attribute
along to jarsigner
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
Bug ID: 62194
Summary: verifyjar task does not pass 'alias' attribute along
to jarsigner
Product: Ant
Version: 1.10.1
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: Core tasks
Assignee: notifications@ant.apache.org
Reporter: freakoftheindustry@gmail.com
Target Milestone: ---
Running the <verifyjar> task with -d output makes it clear that the 'alias'
attribute is being dropped from the generated "jarsigner -verify" command.
Looking at the implementation files (AbstractJarSignerTask.java and
VerifyJar.java) confirms that this attribute is parsed out but then otherwise
ignored. This leads to errors when trying to verify a signed JAR file.
Note that this is taking into account all the concerns raised in bug 27596 in
that we're just looking for confirmation that the JAR file has had all its bits
properly massaged, *not* that the signing key was from a fully validated chain
up to a known CA root, etc.
The background email, including discussion, error tracing, and -d output, are
all on the ant-user mailing list. Trying to paste stuff from the email chain
here leads to bugzilla rejecting the bug because it thinks I'm trying to
break... something. The initial bug report was here:
https://mail-archives.apache.org/mod_mbox/ant-user/201803.mbox/%3CCAK%3DExRPyXfdL2NKTOcj5Lv3V0ccoeKah4oPPvi03isv-yzOwJg%40mail.gmail.com%3E
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
Stefan Bodewig <bo...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Target Milestone|--- |1.10.3
--- Comment #5 from Stefan Bodewig <bo...@apache.org> ---
fixed in git, will be fixed in 1.9.11 and 1.10.3
many thanks again.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
--- Comment #2 from Stefan Bodewig <bo...@apache.org> ---
I just had a look at our existing tests, they don't specify an alias to
verifyjar and "it just works". Some experimentation shows the behavior of
jarsigner -verify to depend on the storetype. Our tests use JKS and here it
works without alias, but if I use a PKCS12 keystore it doesn't.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
--- Comment #1 from Stefan Bodewig <bo...@apache.org> ---
Many thanks for the report.
Looking through the code, -storepass should be used via AbstractJarSignerTask
(we use stdin in createRedirector), so probably really only the alias handling
is missing.
I'll try to come up with a test case so we can be sure we fix this properly. If
I understand correctly things currently don't work if I explicitly specify an
alias while signing.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
freakoftheindustry@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
--- Comment #6 from Stefan Bodewig <bo...@apache.org> ---
related: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8163354
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
--- Comment #4 from Stefan Bodewig <bo...@apache.org> ---
I've modified Ant's code to include the alias after the jar file name, but
verification still fails.
Some experimentation on the command line shows it fails for the combination of
a PKCS12 keystore and using the -strict switch. It passes, if I explicitly add
-storepass on the command line.
What seems to happen is that jarsigner does not prompt the user for the store
password but simply fails. Ant is not willing to pass the storepass via the
command line but wants to provide it via stdin - where it is never read. So
clearly jarsigner is broken (and I'm at least as fed up with Oracle's bug
reporting tools as you are with Bugzilla so I'm not sure I really want to
report it over there). I've verified the bug to be present in Oracle's Java8,
the release candidate of Java10 and the first EA build of Java11, yay.
The only option seems to be to pass the -storepass argument in <verifyjar> and
warn users this is going to happen.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 62194] verifyjar task does not pass 'alias' attribute along to
jarsigner
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
--- Comment #3 from Stefan Bodewig <bo...@apache.org> ---
Forget that last remark, I was wrong. This is independent of the store type.
Not specifying an alias works for our test cases.
Here is an example log
Signing JAR: /tmp/testoutput/signtest.jar to /tmp/testoutput/signtest.jar as
testonly
Current OS is Linux
Using input string
Executing '/usr/lib/jvm/java-8-oracle/bin/jarsigner' with arguments:
'-keystore'
'/home/stefan/devel/ASF/ant/src/etc/testcases/testkeystore.pkcs12'
'-storetype'
'pkcs12'
'/tmp/testoutput/signtest.jar'
'testonly'
The ' characters around the executable and arguments are
not part of the command.
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a
timestamp, users may not be able to validate this jar after the signer
certificate's expiration date (2030-05-10) or after any future revocation date.
testVerifyJarPKCS12:
Verifying JAR: /tmp/testoutput/signtest.jar
Current OS is Linux
Using input string
Executing '/usr/lib/jvm/java-8-oracle/bin/jarsigner' with arguments:
'-keystore'
'/home/stefan/devel/ASF/ant/src/etc/testcases/testkeystore.pkcs12'
'-storetype'
'pkcs12'
'-verify'
'/tmp/testoutput/signtest.jar'
The ' characters around the executable and arguments are
not part of the command.
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries that are not signed by alias in this keystore.
This jar contains signatures that does not include a timestamp. Without a
timestamp, users may not be able to validate this jar after the signer
certificate's expiration date (2030-05-10) or after any future revocation date.
Re-run with the -verbose and -certs options for more details.
BUILD SUCCESSFUL
Testing further ... ah, it is -strict
While I try to come up with a fix you may use strict="false" as a workaround.
--
You are receiving this mail because:
You are the assignee for the bug.