Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Java (http://www.velocityreviews.com/forums/f30-java.html)
-   -   really odd problem with jar signing (http://www.velocityreviews.com/forums/t956421-really-odd-problem-with-jar-signing.html)

Andreas Leitgeb 01-11-2013 01:38 PM

really odd problem with jar signing
 
When signing a particular JAR file with jarsigner *one* of the
enclosed .class files does *not* get signed !

So, when signing, then to the original manifest a list of *almost*
all content-files with each's base64'd SHA1-checksum gets added,
just not for that said .class file. Only that one class's name
*doesn't show up* in the MANIFEST.MF and neither in the *.SF .

Using some other zip-utility, that shows me all kinds of internal
attributes for each zip-content, there was nothing special about
that one file, and it is correctly unpacked with both "unzip"
and "jar xf".
Using a separate utility to obtain the base64'd sha1-sum of the
unpacked .class file didn't show anything obviously special about
that file's sha1-sum. (it's: oh3SlsLIlsoFZbS2QhWyV2JuroA= )

I'm really confused by this observed behaviour of jarsigner
just skipping one of the files in one of about 20 JARs.

Ι'll continue trying further tricks from the "shouldn't matter
but maybe does"-category, but maybe someone recognizes the
symptoms already from the description so far, and is able to
point to jarsigner's "lesser known feature".

PS: The signing is actually done by someone else, but they
assured me, they really just run the jarsigner utility.


Roedy Green 01-11-2013 04:45 PM

Re: really odd problem with jar signing
 
On Fri, 11 Jan 2013 13:38:11 +0000 (UTC), Andreas Leitgeb
<avl@gamma.logic.tuwien.ac.at> wrote, quoted or indirectly quoted
someone who said :

>When signing a particular JAR file with jarsigner *one* of the
>enclosed .class files does *not* get signed !


What is the name of the file? / vs \, some odd char in name?
It is the file itself a valid class file. Try JarCheck see
http://mindprod.com/products1.html#JARCHECK

Could you post the unsigned jar for us to experiment with?

One idea is DSA/RSA certs are supported by different levels of Java.
Perhaps the file is marked for an old Java version and Jarsigner
things thinks the cert is not valid for it.
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Andreas Leitgeb 01-11-2013 05:39 PM

Re: really odd problem with jar signing
 
Roedy Green <see_website@mindprod.com.invalid> wrote:
> On Fri, 11 Jan 2013 13:38:11 +0000 (UTC), Andreas Leitgeb
> <avl@gamma.logic.tuwien.ac.at> wrote:
>> When signing a particular JAR file with jarsigner *one* of the
>> enclosed .class files does *not* get signed !

> What is the name of the file? / vs \, some odd char in name?


Double checked this again. It has forward slashes, and no bogus
characters in the name. I examined a hexdump of the JAR-file to
verify that.

> It is the file itself a valid class file. Try JarCheck see
> http://mindprod.com/products1.html#JARCHECK


I verified correctness of the .class file with some tool that
we have here for that task, and the file was ok.

> Could you post the unsigned jar for us to experiment with?


Not that one, unfortunately. As I'm analyzing this, I'll see
if I find this symptom also with a publically available jar file.

> One idea is DSA/RSA certs are supported by different levels of Java.
> Perhaps the file is marked for an old Java version and Jarsigner
> thinks the cert is not valid for it.


I'm not sure, I'm following you here, but I do have verified that
all class files in that jar are of same class-file version. They
all start with the same "CA FE BA BE 00 03 00 2D" bytes.

Are there other criteria that could make jarsigner see a particular
class file unfit? I'd have expected, that jarsigner could deal with
any file regardless its contents, anyway. All it is supposed to do
with each content file is obtain the sha1-checksum. The certificate
will then only be used to sign the Name+Checksum-entries of the
MANIFEST.MF, so the actual contents do not even get in touch with
the signing certificate.

PS: I've now binary patched that one class file (changed some
String literal within it), and sent the resulting jar file to
those who sign it (though I don't expect it back before Monday).
I hope I'll know more, then.

Thank you for answering!

Roedy Green 01-11-2013 06:01 PM

Re: really odd problem with jar signing
 
On Fri, 11 Jan 2013 13:38:11 +0000 (UTC), Andreas Leitgeb
<avl@gamma.logic.tuwien.ac.at> wrote, quoted or indirectly quoted
someone who said :

> *one* of the
>enclosed .class files does *not* get signed !


does that file have an embedded, lead, trail space in the name?
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Andreas Leitgeb 01-11-2013 06:41 PM

Re: really odd problem with jar signing
 
Roedy Green <see_website@mindprod.com.invalid> wrote:
> On Fri, 11 Jan 2013 13:38:11 +0000 (UTC), Andreas Leitgeb
><avl@gamma.logic.tuwien.ac.at> wrote, quoted or indirectly quoted
> someone who said :
>> *one* of the
>> enclosed .class files does *not* get signed !

> does that file have an embedded, lead, trail space in the name?


I've checked that, too, both in the unzip -l output and in the hexdump of
the jar: No, it definitely didn't.
Just ascii-letters (that implies: not even umlauts or accented letters),
digits, forward-slashes ('/') and one dot "." between class name and the
filename extension "class".


Roedy Green 01-11-2013 10:02 PM

Re: really odd problem with jar signing
 
On Fri, 11 Jan 2013 17:39:50 +0000 (UTC), Andreas Leitgeb
<avl@gamma.logic.tuwien.ac.at> wrote, quoted or indirectly quoted
someone who said :

>All it is supposed to do
>with each content file is obtain the sha1-checksum


It signs resources too so it really has no right to discriminate. This
may be a bug. It is singling out your member improperly. Is it
abnormally huge? Can you rename it. Perhaps you accidentally used
some name it considers reserved? Can you reorder the jar? Are there
"duplicates" in the jar, perhaps differing only in case.


--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Roedy Green 01-11-2013 10:14 PM

Re: really odd problem with jar signing
 
On Fri, 11 Jan 2013 14:02:47 -0800, Roedy Green
<see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted
someone who said :

>It signs resources too so it really has no right to discriminate. This
>may be a bug. It is singling out your member improperly. Is it
>abnormally huge? Can you rename it. Perhaps you accidentally used
>some name it considers reserved? Can you reorder the jar? Are there
>"duplicates" in the jar, perhaps differing only in case.


The contents of the class may be proprietary, but is the list of jar
members secret? a hex dump of the start of the member?
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Joerg Meier 01-13-2013 09:49 AM

Re: really odd problem with jar signing
 
On Fri, 11 Jan 2013 18:41:36 +0000 (UTC), Andreas Leitgeb wrote:

> Roedy Green <see_website@mindprod.com.invalid> wrote:
>> On Fri, 11 Jan 2013 13:38:11 +0000 (UTC), Andreas Leitgeb
>><avl@gamma.logic.tuwien.ac.at> wrote, quoted or indirectly quoted
>> someone who said :
>>> *one* of the
>>> enclosed .class files does *not* get signed !

>> does that file have an embedded, lead, trail space in the name?

> I've checked that, too, both in the unzip -l output and in the hexdump of
> the jar: No, it definitely didn't.
> Just ascii-letters (that implies: not even umlauts or accented letters),


I think you mean ASCII-7.

> digits, forward-slashes ('/') and one dot "." between class name and the
> filename extension "class".


It would be helpful if you could just tell us the actual name. You should
also try signing it yourself, to see if you can reproduce the issue, and if
not, to contact the signer and see what he does differently.

Liebe Gruesse,
Joerg

--
Ich lese meine Emails nicht, replies to Email bleiben also leider
ungelesen.

Lars Enderin 01-13-2013 10:35 AM

Re: really odd problem with jar signing
 
2013-01-13 10:49, Joerg Meier skrev:
> On Fri, 11 Jan 2013 18:41:36 +0000 (UTC), Andreas Leitgeb wrote:
>
>> Just ascii-letters (that implies: not even umlauts or accented letters),

>
> I think you mean ASCII-7.


Unqualified "ascii" is seven-bit.

--
Lars Enderin

Andreas Leitgeb 01-13-2013 04:44 PM

Re: really odd problem with jar signing
 
Roedy Green <see_website@mindprod.com.invalid> wrote:
> On Fri, 11 Jan 2013 14:02:47 -0800, Roedy Green
>> It signs resources too so it really has no right to discriminate. This
>> may be a bug. It is singling out your member improperly. Is it
>> abnormally huge? Can you rename it. Perhaps you accidentally used
>> some name it considers reserved? Can you reorder the jar? Are there
>> "duplicates" in the jar, perhaps differing only in case.


The ignored class-file is less than 5k in size, and there is no
other file with (up to capitalization) same name in the archive.

I do have a couple of further plans on my list to try next week.
(And I've just added "renaming the class file" to that list, even
if it's only for further narrowing down the problem.)

At this time, my reason for posting was to trigger responses of
people who may have experienced the same problem themselves and
maybe even solved it. Since no one came up with the words "Yes,
I've seen that..." so far, I tend to believe that the problem is
at least not all that common. This will help me focus my further
analysis.

Once I get to reproduce it with a self-signed certificate and
some opensource jar file, I'll be sure to come back here.

Thanks to all participating so far!


All times are GMT. The time now is 01:04 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.