Loading... (original) (raw)

FULL PRODUCT VERSION :
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b121)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b63, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux tc 3.12.6-1-ARCH #1 SMP PREEMPT Fri Dec 20 19:39:00 CET 2013 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
In Apache maven-jarsigner-plugin we got a regression around the jarsigner -verify command applyed to a unsigned jar.

With jdk 1.7.0_45:

$> jarsigner -verify tampered.jar
jarsigner: java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Exit code is 1.

With jdk 1.8.0:

$> jarsigner -verify tampered.jar
jar is unsigned. (signatures missing or not parsable)

Exit code is 0.

REGRESSION. Last worked in version 7u45

ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try on a bad signed jar:

svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin/src/it/verify-fail/tampered.jar
run on it jarsigner -verify tampered.jar

or

Get the maven-jarsigner-plugin and execute the verify-fail IT

svn co http://svn.apache.org/repos/asf/maven/plugins/trunk/maven-jarsigner-plugin
cd maven-jarsigner-plugin
mvn verify -Prun-its -Dinvoker.pom=src/it/verify-fail/pom.xml

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Exit code = 1
ACTUAL -
Exit code = 0

REPRODUCIBILITY :
This bug can be reproduced always.