JarFile implementation calls close early which breaks verification of signed unpacked nested jars on Oracle JDK

Open philwebb opened this issue 3 years ago • 3 comments

The attempted fix for #29356 caused regression #31853. We'll need to try and find another approach. This might be easier in 3.x since we have fewer Java versions to support.

Aug 17 '22 18:08 philwebb

Hi is there any progress on this? I saw that 3.0 rc was prepared few days ago -> is there any chance that it will works on it? Thanks for help

Nov 15 '22 16:11 DaDudek

I'm afraid not @DaDudek, we've not been able to fix it yet.

Nov 15 '22 19:11 philwebb

This early closing also breaks Tomcat 10.1's JSP scanning. See https://github.com/spring-projects/spring-boot/issues/33633 for details.

Jan 18 '23 12:01 wilkinsona

#29356 is now fixed in the 3.2 but any attempt to fix this in 2.7 is too risky so I'm going to close this one.

Nov 08 '23 16:11 philwebb