Skip to content

Signed jar verification fails when nested in an uber war running on an Oracle JVM#47284

Closed
DKARAGODIN wants to merge 1 commit intospring-projects:mainfrom
DKARAGODIN:gh-28837
Closed

Signed jar verification fails when nested in an uber war running on an Oracle JVM#47284
DKARAGODIN wants to merge 1 commit intospring-projects:mainfrom
DKARAGODIN:gh-28837

Conversation

@DKARAGODIN
Copy link
Contributor

@DKARAGODIN DKARAGODIN commented Sep 19, 2025

There is an issue with spring boot app as fat Jar that runs on Oracle JVM and uses third-party crypto libraries.

#28837

The hacked solution committed 33c5e12 is relevant to this day because ZipFile.getManifestName(onlyIfSignatureRelatedFiles) stays private. But this hacked solution only works for uber Jar.

In this PR I extend this hack to uber War.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 19, 2025
@wilkinsona wilkinsona changed the title Write signature files to uber wars for Oracle Java 17 verification Signed jar verification fails when nested in an uber war running on an Oracle JVM Sep 22, 2025
@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 22, 2025
@wilkinsona wilkinsona added this to the 3.4.x milestone Sep 22, 2025
@wilkinsona
Copy link
Member

wilkinsona commented Sep 22, 2025

Thanks for the PR. Could you please add some tests on the Gradle side, similar to those that were added in 33c5e12. It may be possible to move BootJarIntegrationTests::signed up into AbstractBootArchiveIntegrationTests.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Sep 22, 2025
@DKARAGODIN
Copy link
Contributor Author

DKARAGODIN commented Sep 22, 2025

Thanks for the PR. Could you please add some tests on the Gradle side, similar to those that were added in 33c5e12. It may be possible to move BootJarIntegrationTests::signed up into AbstractBootArchiveIntegrationTests.

Done.

Also deleted field BootZipCopyAction#supportsSignatureFile since it was used to distinguish between jar and war build in gradle.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 22, 2025
wilkinsona
wilkinsona requested changes Sep 22, 2025
View reviewed changes
Copy link
Member

@wilkinsona wilkinsona left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates. I think there's one more tweak that could be made.

...java/org/springframework/boot/gradle/tasks/bundling/AbstractBootArchiveIntegrationTests.java Outdated
}

protected void signed(String bundling) throws IOException {
assertThat(this.gradleBuild.build(bundling).task(":" + bundling).getOutcome()).isEqualTo(TaskOutcome.SUCCESS);
Copy link
Member

@wilkinsona wilkinsona Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use this.taskName here instead of bundling and further simplify the sub-classes.

Copy link
Contributor Author

@DKARAGODIN DKARAGODIN Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Deleted tests in sub-classes.

@DKARAGODIN DKARAGODIN force-pushed the gh-28837 branch 2 times, most recently from 40533cb to c21d083 Compare September 24, 2025 09:37
@DKARAGODIN
Copy link
Contributor Author

DKARAGODIN commented Sep 24, 2025
edited by wilkinsona
Loading

Fixed merge conflicts introduced by bc46bb2.

@DKARAGODIN
Copy link
Contributor Author

DKARAGODIN commented Oct 8, 2025

Fixed merge conflicts introduced by 44099d3.

@DKARAGODIN
Copy link
Contributor Author

DKARAGODIN commented Oct 8, 2025

Do I need to do something for this PR to be merged and included in 3.5.7?

@wilkinsona
Copy link
Member

wilkinsona commented Oct 8, 2025

No, there's nothing you need to do. We're focusing pretty heavily on 4.0.0-RC1 at the moment so this change may not make it into this month's maintenance releases. Thanks for your patience in the meantime.

@CherryRum CherryRum mentioned this pull request Oct 21, 2025
Closed
@DKARAGODIN
Write signature files to uber wars for Oracle Java 17 verification
4a5005e 
This commit extends 33c5e12 to uber War.

Fixes spring-projectsgh-28837

Signed-off-by: Dmitrii Karagodin <4319788@gmail.com>
@DKARAGODIN
Copy link
Contributor Author

DKARAGODIN commented Oct 22, 2025

Fixed merge conflicts introduced by ef6fa41

@philwebb philwebb mentioned this pull request Oct 23, 2025
Closed
philwebb pushed a commit that referenced this pull request Oct 23, 2025
@DKARAGODIN @philwebb
Write signature files to uber wars for Oracle Java 17 verification
43d91ae 
Extend commit 33c5e12 to include uber Wars.

See gh-47284

Signed-off-by: Dmitrii Karagodin <4319788@gmail.com>
@philwebb philwebb closed this in 4525a0c Oct 23, 2025
@philwebb philwebb removed this from the 3.4.x milestone Oct 23, 2025
@philwebb philwebb added this to the 3.4.11 milestone Oct 23, 2025
@philwebb
Copy link
Member

philwebb commented Oct 23, 2025

Thanks very much @DKARAGODIN. This has now been merged to 3.4.x and forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wilkinsona wilkinsona Awaiting requested review from wilkinsona

Assignees

No one assigned

Labels

status: feedback-provided Feedback has been provided type: bug A general bug

Projects

None yet

Milestone

3.4.11

Development

Successfully merging this pull request may close these issues.

4 participants

@DKARAGODIN @wilkinsona @philwebb @spring-projects-issues