Keyfactor / signserver-ce

SignServer – Open source, PKI-based signing software to sign code, documents, timestamps and more.
https://www.signserver.org
GNU Lesser General Public License v2.1
331 stars 37 forks source link

The signed jar entries aren't in specific order to be consumed by java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs #85

Open tsiddiq opened 6 months ago

tsiddiq commented 6 months ago

The Eclipse (which is using java.util.jar.JarInputStream and java.util.jar.JarVerifier APIs) is not showing the jar plugins as signed ones which are signed by SignServer. It is because of the order of the Jar archive entries (i.e., jar -tf ), the way Java JarInputStream and JarVerifier APIs expect them to be (found out after deep dive into eclipse and java jar APIs). The JarVerifier expects META-INF/MANIFEST.MF should be the first or second entry and the .SF and .RSA file at second and third respectively. And then the remaining files in any order.

Just for showing the difference, I'm dumping one of the eclipse opensource plugin entries signed by two different approaches.

Jar entries from the plugin signed with jarsigner locally:

META-INF/MANIFEST.MF
META-INF/EXAMPLE.SF
META-INF/EXAMPLE.RSA
META-INF/
org/
org/eclipse/
org/eclipse/cdt/
org/eclipse/cdt/gdb/
org/eclipse/cdt/gdb/internal/
org/eclipse/cdt/gdb/internal/eventbkpts/
org/eclipse/cdt/gdb/eventbkpts/
org/eclipse/cdt/gdb/internal/Activator.class
org/eclipse/cdt/gdb/internal/eventbkpts/GdbCatchpoints.class
org/eclipse/cdt/gdb/eventbkpts/IEventBreakpointConstants.class
about.mappings
cdt_logo_icon32.png
about.properties
about.html
about.ini
plugin.properties

Jar entries from the plugin signed with SignServer (EE):

META-INF/
META-INF/MANIFEST.MF
org/
org/eclipse/
org/eclipse/cdt/
org/eclipse/cdt/gdb/
org/eclipse/cdt/gdb/eventbkpts/
org/eclipse/cdt/gdb/internal/
org/eclipse/cdt/gdb/internal/eventbkpts/
about.html
about.ini
about.mappings
about.properties
cdt_logo_icon32.png
org/eclipse/cdt/gdb/eventbkpts/IEventBreakpointConstants.class
org/eclipse/cdt/gdb/internal/Activator.class
org/eclipse/cdt/gdb/internal/eventbkpts/GdbCatchpoints.class
plugin.properties
META-INF/SIGNSERV.SF
META-INF/SIGNSERV.RSA

So I had to post processing the signserver's signed jar file to fix the order of its entries. IMO, it should be fixed in SignServer.

mlundblad commented 6 months ago

So, in essence we would probably need to make sure the .SF and .RSA (or .EC, I think it was when using ECDSA keys). I remember we had some other issues with manifest entry ordering, so we need to take care to cover different cases when making changes.

Will take a look at this.

Thanks!