8196823: jarsigner should not create a signed jar if the signing fails

Reviewed-by: mullan, alanb
2025-08-27 06:45:07 +02:00 · 2018-02-08 11:44:21 +08:00 · 2018-02-08 11:44:21 +08:00 · 48aad3bd2f
commit 48aad3bd2f
parent e7f7bcdb06
3 changed files with 101 additions and 14 deletions
--- a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
@ -26,6 +26,7 @@
 package sun.security.tools.jarsigner;

 import java.io.*;
+import java.net.UnknownHostException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXBuilderParameters;
 import java.util.*;
@ -1400,13 +1401,6 @@ public class Main {
            error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
        }

-        FileOutputStream fos = null;
-        try {
-            fos = new FileOutputStream(signedJarFile);
-        } catch (IOException ioe) {
-            error(rb.getString("unable.to.create.")+tmpJarName, ioe);
-        }
-
        CertPath cp = CertificateFactory.getInstance("X.509")
                .generateCertPath(Arrays.asList(certChain));
        JarSigner.Builder builder = new JarSigner.Builder(privateKey, cp);
@ -1473,24 +1467,42 @@ public class Main {
        builder.setProperty("sectionsOnly", Boolean.toString(!signManifest));
        builder.setProperty("internalSF", Boolean.toString(!externalSF));

+        FileOutputStream fos = null;
+        try {
+            fos = new FileOutputStream(signedJarFile);
+        } catch (IOException ioe) {
+            error(rb.getString("unable.to.create.")+tmpJarName, ioe);
+        }
+
+        Throwable failedCause = null;
+        String failedMessage = null;
+
        try {
            builder.build().sign(zipFile, fos);
        } catch (JarSignerException e) {
-            Throwable cause = e.getCause();
-            if (cause != null && cause instanceof SocketTimeoutException) {
+            failedCause = e.getCause();
+            if (failedCause instanceof SocketTimeoutException
+                    || failedCause instanceof UnknownHostException) {
                // Provide a helpful message when TSA is beyond a firewall
-                error(rb.getString("unable.to.sign.jar.") +
+                failedMessage = rb.getString("unable.to.sign.jar.") +
                        rb.getString("no.response.from.the.Timestamping.Authority.") +
                        "\n  -J-Dhttp.proxyHost=<hostname>" +
                        "\n  -J-Dhttp.proxyPort=<portnumber>\n" +
                        rb.getString("or") +
                        "\n  -J-Dhttps.proxyHost=<hostname> " +
-                        "\n  -J-Dhttps.proxyPort=<portnumber> ", e);
+                        "\n  -J-Dhttps.proxyPort=<portnumber> ";
            } else {
-                error(rb.getString("unable.to.sign.jar.")+e.getCause(), e.getCause());
+                // JarSignerException might have a null cause
+                if (failedCause == null) {
+                    failedCause = e;
+                }
+                failedMessage = rb.getString("unable.to.sign.jar.") + failedCause;
            }
+        } catch (Exception e) {
+            failedCause = e;
+            failedMessage = rb.getString("unable.to.sign.jar.") + failedCause;
        } finally {
-            // close the resouces
+            // close the resources
            if (zipFile != null) {
                zipFile.close();
                zipFile = null;
@ -1499,6 +1511,12 @@ public class Main {
            if (fos != null) {
                fos.close();
            }
+
+        }
+
+        if (failedCause != null) {
+            signedJarFile.delete();
+            error(failedMessage, failedCause);
        }

        // The JarSigner API always accepts the timestamp received.