8203839: API clarification: versioned jar entry verification in multi-release jar file
Reviewed-by: darcy, psandoz, alanb, weijun
This commit is contained in:
parent
977a3ef019
commit
a78fe0a073
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -93,10 +93,14 @@ import java.util.zip.ZipFile;
|
||||
* argument. This assures that classes compatible with the major
|
||||
* version of the running JVM are loaded from multi-release jar files.
|
||||
*
|
||||
* <p>If the verify flag is on when opening a signed jar file, the content of
|
||||
* the file is verified against its signature embedded inside the file. Please
|
||||
* note that the verification process does not include validating the signer's
|
||||
* certificate. A caller should inspect the return value of
|
||||
* <p> If the {@code verify} flag is on when opening a signed jar file, the content
|
||||
* of the jar entry is verified against the signature embedded inside the manifest
|
||||
* that is associated with its {@link JarEntry#getRealName() path name}. For a
|
||||
* multi-release jar file, the content of a versioned entry is verfieid against
|
||||
* its own signature and {@link JarEntry#getCodeSigners()} returns its own signers.
|
||||
*
|
||||
* Please note that the verification process does not include validating the
|
||||
* signer's certificate. A caller should inspect the return value of
|
||||
* {@link JarEntry#getCodeSigners()} to further determine if the signature
|
||||
* can be trusted.
|
||||
*
|
||||
|
Loading…
x
Reference in New Issue
Block a user