8203839: API clarification: versioned jar entry verification in multi-release jar file
authorsherman
Thu, 07 Jun 2018 13:24:49 -0700
changeset 50451 c9513ce29c18
parent 50450 517f76115e5a
child 50452 ccb2c0d5da93
8203839: API clarification: versioned jar entry verification in multi-release jar file Reviewed-by: darcy, psandoz, alanb, weijun
src/java.base/share/classes/java/util/jar/JarFile.java
--- a/src/java.base/share/classes/java/util/jar/JarFile.java	Thu Jun 07 21:57:17 2018 +0200
+++ b/src/java.base/share/classes/java/util/jar/JarFile.java	Thu Jun 07 13:24:49 2018 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -93,10 +93,14 @@
  * argument.  This assures that classes compatible with the major
  * version of the running JVM are loaded from multi-release jar files.
  *
- * <p>If the verify flag is on when opening a signed jar file, the content of
- * the file is verified against its signature embedded inside the file. Please
- * note that the verification process does not include validating the signer's
- * certificate. A caller should inspect the return value of
+ * <p> If the {@code verify} flag is on when opening a signed jar file, the content
+ * of the jar entry is verified against the signature embedded inside the manifest
+ * that is associated with its {@link JarEntry#getRealName() path name}. For a
+ * multi-release jar file, the content of a versioned entry is verfieid against
+ * its own signature and {@link JarEntry#getCodeSigners()} returns its own signers.
+ *
+ * Please note that the verification process does not include validating the
+ * signer's certificate. A caller should inspect the return value of
  * {@link JarEntry#getCodeSigners()} to further determine if the signature
  * can be trusted.
  *