search

adoptium / adoptium-support

For end-user problems reported with our binary distributions
Apache License 2.0
44 stars 15 forks source link

8u362: jarsigner -verify reports unsigned entries even though they've been signed #738

Open yeroc opened 1 year ago

yeroc commented 1 year ago

Please provide a brief summary of the bug

We noticed a seeming regression in 8u362 when verifying signed jars. Both 8u352 and 11.0.18 are showing all entries as signed but 8u362 shows only the MANIFEST.MF file as signed along with a This jar contains unsigned entries which have not been integrity-checked. warning.

8u362 output:

$ sdk use java 8.0.362-tem

Using java version 8.0.362-tem in this shell.
[corey@homer tmp]$ jarsigner -verbose -verify /tmp/foo.jar

s         948 Wed Sep 24 15:54:54 MDT 2014 META-INF/MANIFEST.MF
          802 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.SF
         1172 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.DSA
            0 Fri Jul 15 10:29:10 MDT 2011 META-INF/
 m   ? 2314240 Fri Jul 15 10:28:16 MDT 2011 DPPDLL.dll
...

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  ? = unsigned entry

- Signed by "CN=..."
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withDSA, 1024-bit key (weak)

jar verified.

Warning:
This jar contains unsigned entries which have not been integrity-checked.
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
The DSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2015-05-31).

Re-run with the -verbose and -certs options for more details.

8.u352:

[corey@homer tmp]$ sdk use java 8.0.352-tem

Using java version 8.0.352-tem in this shell.
[corey@homer tmp]$ jarsigner -verbose -verify /tmp/foo.jar

s         948 Wed Sep 24 15:54:54 MDT 2014 META-INF/MANIFEST.MF
          802 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.SF
         1172 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.DSA
            0 Fri Jul 15 10:29:10 MDT 2011 META-INF/
sm     2314240 Fri Jul 15 10:28:16 MDT 2011 DPPDLL.dll
...

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "CN=..."
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withDSA, 1024-bit key (weak)

jar verified.

Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
The DSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2015-05-31).

Re-run with the -verbose and -certs options for more details.

11.0.18 also verifies:

[corey@homer tmp]$ sdk use java 11.0.18-tem

Using java version 11.0.18-tem in this shell.
[corey@homer tmp]$ jarsigner -verbose -verify /tmp/foo.jar

s        948 Wed Sep 24 15:54:54 MDT 2014 META-INF/MANIFEST.MF
         802 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.SF
        1172 Mon Mar 13 15:31:26 MDT 2023 META-INF/KA.DSA
           0 Fri Jul 15 10:29:10 MDT 2011 META-INF/
sm    2314240 Fri Jul 15 10:28:16 MDT 2011 DPPDLL.dll
...

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=..."
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withDSA, 1024-bit key (weak)

jar verified.

Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
The DSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2015-05-31).

Re-run with the -verbose and -certs options for more details.

Please provide steps to reproduce where possible

No response

Expected Results

Expect jarsigner to properly report all entries as signed.

Actual Results

jarsigner instead warns that This jar contains unsigned entries which have not been integrity-checked.

What Java Version are you using?

openjdk version "1.8.0_362" OpenJDK Runtime Environment (Temurin)(build 1.8.0_362-b09) OpenJDK 64-Bit Server VM (Temurin)(build 25.362-b09, mixed mode)

What is your operating system and platform?

CentOS Linux release 7.9.2009 (Issue is also visible on Windows 10 build as well)

How did you install Java?

Installed via sdkman:

sdk install java 8.0.362-tem

Did it work before?

On previous releases, yes.

Did you test with the latest update version?

Yes

Did you test with other Java versions?

Yes (see above)

Relevant log output

No response

jerboaa commented 1 year ago

This will be fixed with: https://github.com/openjdk/jdk8u-dev/pull/282

jerboaa commented 1 year ago

The workaround until that lands should be to remove SHA1 denyAfter 2019-01-01 from jdk.jar.disabledAlgorithms in java.security file.

jerboaa commented 1 year ago

Upstream bug: https://bugs.openjdk.org/browse/JDK-8278851

yeroc commented 1 year ago

@jerboaa Thanks so much! I hadn't realized this jar was dual-signed but MANIFEST.MF shows:

Name: DPPDLL.dll
SHA1-Digest: 2eqrShXQujVTdccGespKIj+uFAk=
SHA-256-Digest: I8jwKkCBVyNspzU644k05oHAMmTynwX5cJTt/jJAaQc=

So the bug you referenced is definitely the root cause here.

github-actions[bot] commented 1 year ago

We are marking this issue as stale because it has not been updated for a while. This is just a way to keep the support issues queue manageable. It will be closed soon unless the stale label is removed by a committer, or a new comment is made.

jerboaa commented 1 year ago

Please verify the issue is solved with 8u382 ea builds from here (8u382 in July will have this fixed): https://adoptium.net/temurin/nightly/?version=8