Open tsiddiq opened 6 months ago
So, in essence we would probably need to make sure the .SF and .RSA (or .EC, I think it was when using ECDSA keys). I remember we had some other issues with manifest entry ordering, so we need to take care to cover different cases when making changes.
Will take a look at this.
Thanks!
The Eclipse (which is using java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs) is not showing the jar plugins as signed ones which are signed by SignServer. It is because of the order of the Jar archive entries (i.e., jar -tf), the way Java JarInputStream and JarVerifier APIs expect them to be (found out after deep dive into eclipse and java jar APIs). The JarVerifier expects META-INF/MANIFEST.MF should be the first or second entry and the .SF and .RSA file at second and third respectively. And then the remaining files in any order.
Just for showing the difference, I'm dumping one of the eclipse opensource plugin entries signed by two different approaches.
Jar entries from the plugin signed with
jarsigner
locally:Jar entries from the plugin signed with SignServer (EE):
So I had to post processing the signserver's signed jar file to fix the order of its entries. IMO, it should be fixed in SignServer.