From ea5bb77da3b8d9e6a1b8042ff2e4ae3c1065a091 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Mat=C3=A8rne?= <jhm@apache.org>
Date: Tue, 6 Mar 2018 11:36:50 +0100
Subject: [PATCH 1/4] add a "link" to existing release notes so we could find
 it better

---
 ReleaseInstructions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ReleaseInstructions b/ReleaseInstructions
index 27d4c41f9..a68dccfad 100644
--- a/ReleaseInstructions
+++ b/ReleaseInstructions
@@ -159,7 +159,7 @@ Note: This document was updated in the context of releasing Ant
 13. Upload the maven artifacts located under java-repository/org/apache/ant
     these artifacts comprise currently for each ant jar of one POM
     file, the corresponding jar file and the corresponding GPG
-    signatures (x.pom, x.jar, x.pom.asc, x.jar.asc) MD5 and SHA1 are
+    signatures (x.pom, x.jar, x.pom.asc, x.jar.asc) SHA1 are
     generated by ivy during the upload
 
     to

From f2dd4149dc0f09563db980b9e4afb3ac4cfb8576 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Tue, 20 Mar 2018 11:56:29 +0100
Subject: [PATCH 2/4] add a PKCS12 test keystore

---
 src/etc/testcases/testkeystore.pkcs12       | Bin 0 -> 2945 bytes
 src/tests/antunit/taskdefs/signjar-test.xml |  14 ++++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 src/etc/testcases/testkeystore.pkcs12

diff --git a/src/etc/testcases/testkeystore.pkcs12 b/src/etc/testcases/testkeystore.pkcs12
new file mode 100644
index 0000000000000000000000000000000000000000..c0016c574b3fa3aad96872520cc5e819c27822be
GIT binary patch
literal 2945
zcmb7@X*d*$8h~fa7|U1(F*q1YD%*@g#)z09`xZu)ER8K0GuE*iQPz@e>|+Tbl%?#l
zuce7jVr)qrCE1b|ZudU-p7WeP_qq4a_dU=1Eq~tcLsFqpEI<&F3RQ=2oJzcqxX%q_
z1JbEbc`y|!^9xHNsh}5sD}e^UR8a3P+=-+DUqhh(p5o#Jve2o(_+Kyvc@o0;AN*^%
z7+BC$GPiqG@LpNH!*Ot3Ka9HEdV$0O0`yygsX)tWAq`SE^L)CbS61V6?KR6{*u*AD
zB~%uZimfa=sEjM{9bWma(4C+oag?t?f2nddW;C9Idj(TVPMs)8daMzTUnO*d6;_wi
zf)hq?`cH=tYIE<o?G<f9OPSDUESTKWBD@%8a>Lv~pnIXJHO#}eEBy3OuHC>Z{-_Mf
z^}89{MrLx?;R#{g(u?($PZ~~UWE4g?X&foVPTv2`^Zu6;ugEl9dyrFg2->cmau<=m
zXDh)w`N;3d%6a3n6a4`eSOaWq7~XEGxoOD5jUDqfNvV+R7f5<~H@o;n8%kT@&7ENb
zkD*ShtIK6Yg9+?8lr{ad1&XJul@R|EhSmGzV_hl~E`06`6oht>sy^Q*?%|x9B3YsD
z>a~HxM!d6Y0?3Gg+Q{6R^HQ&y7=v_xjq7$o^yLFhE<_;Lu71Xh1%kR6#NV15x8P^l
z7mLCoCI3{$A&7!W@BxAV1VG@gs0;81_yH(L#9s|UC_ymnqR%yg6iQ7MrFI6Tu8CCB
z(D*;>nv5zHD^HWuHQNC;+y;YPHZ@VyKkepf5xOSF7*WyY>jzAyml{(aV%qrEe8z$v
z?8e;vY^0=kLdTB4n=X3i@$<2gvbpLSb`osyS!Hg)If)+qnyp|aUc@G1sg{{E6_YrQ
z;<L6*NITH8(wWJ#brQOGxIFksU&YPUQ$gHsP2Y=46Yeu#zN+OfjBy0H@<rjN&oI3{
z1Os`}sB-vreBM|3<9e`XR;0NeJzcC?xi*%uI9hmf{+co!c4bVyr5d0U;L|G+Ayk#m
z=*oHf6xx*kL~-Yx4@usjKUiJ~>CMdwT;G)T<iHVCe_OW@<?sG{U)C7Hs`lkFGY70V
zzgooJe*W9C;bc=BMM&~THkvq@Q_1tO#CI|1(c_aaNhSZ4zGr!-uRy%Bdu`wuqd2_k
zUST*z+6fwVsp|}@%C^BcD7!&6qmGz@l|pSV^*i#=-aqx>g*g|?Jy)4KR@P=+E&ku^
z68|^58k%R3R5t9NC%^`wQ`yvhAruP`@GG7As{;JnFGK$M%Q^j5H8VG^Y1kqf)Y}y|
zbDtM@!T)7DmJ0d2Nicnt>71m`vMZ3*b?;}Oas2VgM4Y4Jz8mTNc(pN^TUCt9t{_-E
zppDi#kWaebL+5lpnk$MOSeVQ;-TN7|#vDgG70m;DReAEYh09&Ty$0k7Aug4j0;Uq(
z+$GH}C&ESfPn^yQ%7lwd7>=OX4Kxo94h0DAJV%Y{n4rx5L+P4nR+-Qwm^!R<?|7jr
zW6)SQ#n_j|2!t})r4577xoI_M%B^ExJD?3a4+p$&$Kd#D9d&o~=u6Z?te{UvfT))W
zE<V%7e{ejTXTJ16r%3Lc+l8}*Q8I=Wyd#<r%xMi&9L}F;z45Sj;euIB`bRK`A*0fq
zR@Ye0J}T?rR4jYOK4xI3FZ6ki(5z7p)jTvlW4Ela)d{PI+mBpVWW)=<_MB)GL-d}V
z+!R%4YeOe)y^lxbZyvXMJ+MDgbXz-FMyrH}Hqgy#I791rJ6d3F#?IxxoX#INBdu3^
z<w4Nf!R)*pzx2qy2LuymwJKuicXDI&Pc%Kjl#P7-QqPSyvlt^~*H*#HytiSi=_)C~
zqHk0A(1|&2jOOji!ONY{8f2rc^B8YN<O27C$Z=BH_ITXB25zG|btpl%Db+)zefdta
zN2Hrfg&4WKvFtg;PE*55?mii>bJkep-egO&`?P2u#B--iZLY;U(n>A5<pZ`e%eRP+
zZk}=zcqw@XgwbqW?`BQwjQH3$0B=UOX=mwhGPh>seniBV5S(*|-JtWVqvAz&fO^{$
zcM*uHMScH;-_bXh+oeOWFy&xHyHXv?+InZ2%*M3C;P>P<jM)|B`zp%^Z)4(%AR@*2
z?^X3ClwW_UOXI}F8m~1j=m#L|5SkN?(nngJ`eq;nUPhc(uC0+U=tjUWmMrS|hqK-G
z(n0$ayWR=Ia#C`$18nOCWSh8BH#Q%IQ_khn)%6)>%`cmp48K>oQShVrB-=A*UkcSJ
zPi(8GfT3VwrQK9Do33S4<0v?qzxvY6WzkghvO^5g&1vG=;gWeI+?=&ceQ&K{=i@r-
zXQv(;-V5uOT5DB771b3yIX7I&1xsekf_+jXQbt>d>`qzmtoq9IS%bim>oh4(Ctq0#
z_%S#|Hl85jo|vSG`Le)RclPa+7i70*&b)fL({gVlS@Gv#pm@4kVLj6C;@rdXydZ4|
zm%8~`SKXhM)hpfodA+-UrLTaMl9`Q*U%oXN_9%VQEi<?Yff#gf1CRKKB0*Dleg$`|
zdj@`qmQ}nTxBXZoB=Gm!k9f3=dEKv1Zc(Z&@waE1hS0_5Q@(-}+o&ZxYh(`AfC3j?
zG21^7A(m+Q$#+BJ=phM5IIWS;@4LVK=8oj5sI`Z%Me5L}ERzO1vtCu)X+zvCthrZ-
zo&x=ay8OVV^??m66ANG~qxEmvZ9&ubTDYB`;&YNBq2+EtF)R8Ud_U=i%dL|30$!27
zRk)R#xv;Or-slx|rrLmAJwR6W#VKjS1`&r3!`1Z&{NZ?Gl~rXY`04mlJcGpsh@-Hi
z9(=uofbx~&RRUzvizB<%5El&RQCJ(tnum{01PhPcnh*b;-SRCYpDVdn1J_%Sl}cFI
zv@n$FaF8$p*EB!8I^E$wf3nI0r>!O?K*^Wiye!nv_Vk<eLs+BMt4~}!xKSKh<u`6|
z!rRSc7c)L}wD3Xdlv9u#=SRcpV}36O4otSSqk<pVW4-}5m~+;pI^Tz-E57#@p_IF-
zq!q6|Vb3!FC#rrk(EapV4@z(`?rNlvq|dG0Ceowo?vyrjAJ@%|`F2@0tXdqglNlN@
zKlLq|tt~rmAtE@YO6#Y={_#%RGt80Er-rHI!UV8y1T43QBBmHT@16Ie1PELj53`y*
z1qWtM&=jLO1XPxs!BvlgI2?_5jhl-J0nEr?j9GR=YqT5bs_?6!sYG*(<r!h$V<TTq
z`DJ@nP?&Rdj!j#r@}9cQYu1KHQO@2UAN5~uEA3@Rdux26YiCt>5yB1J)ehw0fn+ge
z=B}G7x$+VmZ2Zv3HtTTZUCNT_o;t#}nMog;N@$&%)}I}J)tmfBmON}|E1P@he1q*L
zl1b=D0Li~!E<M`eW9e!N-?XH8MZ~kQjq6>{zvm9~hqnTW_9K+r{o9wH{%D%Np7Hy|
zU8|5whx@R_jy=<Y^mxLk@jY`QTLIB!U!<UOphakBfmR~*<z7gW<s#GmW~z5<5%E@;
z673OSaf~fSw2%2i3uTDq>=7?BCLvhT^5PFy=yST!tGv51WC)QVS>Pk)LN1o>f7i7{
zFkKs@YGRJrAe0}Bfj;GX8_#c9My5#5UR|Fb8~U!*a;~I~WRtwmySVb|^jo9w`YA@d
zbw@Ze!ykS7{uG;RsVY$bc@Bv{azI!Wct9+otN^f}WU=ZwaZggWDLhqD1s(SG4xCpK
fEa;41+oj*{j>|z$(VE(pdcMe>k7EG=6Y2i|{yI8#

literal 0
HcmV?d00001

diff --git a/src/tests/antunit/taskdefs/signjar-test.xml b/src/tests/antunit/taskdefs/signjar-test.xml
index 0f03bc586..4d998fb69 100644
--- a/src/tests/antunit/taskdefs/signjar-test.xml
+++ b/src/tests/antunit/taskdefs/signjar-test.xml
@@ -25,6 +25,7 @@
   <property name="signtest.jar" location="${sign.dir}/signtest.jar" />
   <property name="subdirsigntest.jar" location="${subdir}/signtest.jar" />
   <property name="testkeystore" location="../../../etc/testcases/testkeystore" />
+  <property name="testkeystore.pkcs12" location="${testkeystore}.pkcs12" />
 
   <macrodef name="assertSigned">
     <attribute name="jar" default="${signtest.jar}" />
@@ -43,6 +44,11 @@
     <verifyjar keystore="${testkeystore}" storepass="apacheant" />
   </presetdef>
 
+  <presetdef name="verify-base-pkcs12">
+    <verifyjar keystore="${testkeystore.pkcs12}" storepass="apacheant"
+               storetype="pkcs12" alias="testonly"/>
+  </presetdef>
+
   <presetdef name="sign">
     <sign-base jar="${signtest.jar}" />
   </presetdef>
@@ -60,6 +66,10 @@
     <sign />
   </target>
 
+  <target name="basic-pkcs12" depends="jar">
+    <sign keystore="${testkeystore.pkcs12}" storetype="pkcs12" strict="true"/>
+  </target>
+
   <target name="testBasic" depends="basic">
     <assertSigned />
   </target>
@@ -232,6 +242,10 @@
     <verify-base jar="${signtest.jar}" />
   </target>
 
+  <target name="testVerifyJarPKCS12" depends="basic-pkcs12">
+    <verify-base-pkcs12 jar="${signtest.jar}" />
+  </target>
+
   <target name="testVerifyJarCertificates" depends="basic">
     <verify-base jar="${signtest.jar}" certificates="true" verbose="true" />
   </target>

From c09ac387998699d7f270e89c1165820c4230a72c Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Tue, 20 Mar 2018 11:56:52 +0100
Subject: [PATCH 3/4] add the alias in verifyjar if specified

https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
---
 src/main/org/apache/tools/ant/taskdefs/VerifyJar.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index 4ab21428c..a0003c771 100644
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@ -123,6 +123,10 @@ public class VerifyJar extends AbstractJarSignerTask {
         //JAR  is required
         addValue(cmd, jar.getPath());
 
+        if (alias != null) {
+            addValue(cmd, alias);
+        }
+
         log("Verifying JAR: " + jar.getAbsolutePath());
         outputCache.clear();
         BuildException ex = null;

From 094525796113e8a38dde003e39dae1419d7f248a Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Tue, 20 Mar 2018 12:13:57 +0100
Subject: [PATCH 4/4] verifyjar must use -storepass or jarsigner will not work

https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
---
 WHATSNEW                                      |  9 ++++
 manual/Tasks/signjar.html                     |  4 +-
 manual/Tasks/verifyjar.html                   |  8 +++-
 .../apache/tools/ant/taskdefs/VerifyJar.java  | 46 +++++++++++++++++++
 src/tests/antunit/taskdefs/signjar-test.xml   |  9 ++++
 5 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/WHATSNEW b/WHATSNEW
index 6dd00fe29..1011201f8 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -16,6 +16,15 @@ Fixed bugs:
  * Fixed NullPointerException when a mappedresource is used in pathconvert
    Bugzilla Report 62076
 
+ * Added a workaround for a bug in the jarsigner tool to <verifyjar>
+   which requires the -storepass command line argument when verifying
+   signatures using -strict together with a PKCS12 keystore. Unlike
+   when signing the jar it will not prompt for the keystore's password
+   and read it from standard input.
+   This means Ant will now pass the keystore's password on the command
+   line when using <verifyjar>, which poses a security risk you should
+   be aware of.
+   Bugzilla Report 62194
 
 Other changes:
 --------------
diff --git a/manual/Tasks/signjar.html b/manual/Tasks/signjar.html
index 0f9d77846..32315c158 100644
--- a/manual/Tasks/signjar.html
+++ b/manual/Tasks/signjar.html
@@ -66,7 +66,9 @@ and <tt>lazy</tt> is false, the JAR is signed.</li>
   </tr>
   <tr>
     <td valign="top">storepass</td>
-    <td valign="top">password for keystore integrity.</td>
+    <td valign="top">password for keystore integrity. Ant will not use
+    the <code>-storepass</code> command line argument but send the
+    password to jarsigner when it prompts for it.</td>
     <td valign="top" align="center">Yes.</td>
   </tr>
   <tr>
diff --git a/manual/Tasks/verifyjar.html b/manual/Tasks/verifyjar.html
index 4be278811..886075a79 100644
--- a/manual/Tasks/verifyjar.html
+++ b/manual/Tasks/verifyjar.html
@@ -52,8 +52,12 @@ supported
   </tr>
   <tr>
     <td valign="top">storepass</td>
-    <td valign="top">password for keystore integrity.</td>
-    <td valign="top" align="center">Yes.</td>
+    <td valign="top">password for keystore integrity.
+    Note that
+    jarsigner does not read the password from stdin during
+    verification, so the password must be send via a command line
+    interface and may be visible to other users of the system.</td>
+    <td valign="top" align="center">No.</td>
   </tr>
   <tr>
     <td valign="top">keystore</td>
diff --git a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
index a0003c771..4cbbe2a31 100644
--- a/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/VerifyJar.java
@@ -58,6 +58,8 @@ public class VerifyJar extends AbstractJarSignerTask {
     /** Error output if there is a failure to verify the jar. */
     public static final String ERROR_NO_VERIFY = "Failed to verify ";
 
+    private String savedStorePass = null;
+
     /**
      * Ask for certificate information to be printed
      * @param certificates if true print certificates.
@@ -99,6 +101,42 @@ public class VerifyJar extends AbstractJarSignerTask {
 
     }
 
+    /**
+     * @since 1.9.11
+     */
+    @Override
+    protected void beginExecution() {
+        // when using a PKCS12 keystore jarsigner -verify will not
+        // prompt for the keystore password but will only properly
+        // verify the jar with -strict enabled if the -storepass
+        // parameter is used. Note that the documentation of jarsigner
+        // says -storepass was never required with -verify - this is
+        // wrong.
+        //
+        // See https://bz.apache.org/bugzilla/show_bug.cgi?id=62194
+        //
+        // So if strict is true then we hide storepass from the base
+        // implementation and instead add the -storepass command line
+        // argument
+        if (mustHideStorePass()) {
+            savedStorePass = storepass;
+            setStorepass(null);
+        }
+        super.beginExecution();
+    }
+
+    /**
+     * @since 1.9.11
+     */
+    @Override
+    protected void endExecution() {
+        if (savedStorePass != null) {
+            setStorepass(savedStorePass);
+            savedStorePass = null;
+        }
+        super.endExecution();
+    }
+
     /**
      * verify a JAR.
      * @param jar the jar to verify.
@@ -112,6 +150,10 @@ public class VerifyJar extends AbstractJarSignerTask {
 
         setCommonOptions(cmd);
         bindToKeystore(cmd);
+        if (savedStorePass != null) {
+            addValue(cmd, "-storepass");
+            addValue(cmd, savedStorePass);
+        }
 
         //verify special operations
         addValue(cmd, "-verify");
@@ -151,6 +193,10 @@ public class VerifyJar extends AbstractJarSignerTask {
         }
     }
 
+    private boolean mustHideStorePass() {
+        return strict && storepass != null;
+    }
+
     /**
      * we are not thread safe here. Do not use on multiple threads at the same time.
      */
diff --git a/src/tests/antunit/taskdefs/signjar-test.xml b/src/tests/antunit/taskdefs/signjar-test.xml
index 4d998fb69..30671cfb2 100644
--- a/src/tests/antunit/taskdefs/signjar-test.xml
+++ b/src/tests/antunit/taskdefs/signjar-test.xml
@@ -282,5 +282,14 @@
     </au:expectfailure>
   </target>
 
+  <target name="testVerifyJarStrict" depends="basic">
+    <verify-base jar="${signtest.jar}" strict="true"/>
+  </target>
+
+  <target name="testVerifyJarStrictPKCS12" depends="basic-pkcs12"
+          description="https://bz.apache.org/bugzilla/show_bug.cgi?id=62194">
+    <verify-base-pkcs12 jar="${signtest.jar}" strict="true"/>
+  </target>
+
 </project>