Merge pull request #47757 from gastaldi/jarunsigner

gastaldi · web-flow · commit 89ae96360e23 · 2025-05-08T13:23:35.000-03:00
Unsign all dependency JARs during build
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/JarUnsigner.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/JarUnsigner.java
@@ -0,0 +1,164 @@
+package io.quarkus.deployment.pkg;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Enumeration;
+import java.util.Map;
+import java.util.function.Predicate;
+import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Manifest;
+
+import org.jboss.logging.Logger;
+
+/**
+ * JarUnsigner is used to remove the signature from a jar file.
+ */
+public final class JarUnsigner {
+
+    private static final Logger log = Logger.getLogger(JarUnsigner.class);
+
+    private JarUnsigner() {
+        // utility class
+    }
+
+    /**
+     * Unsigns a jar file by removing the signature entries.
+     * If the JAR is not signed, it will simply copy the original JAR to the target path.
+     *
+     * @param jarPath the path to the jar file to unsign
+     * @param targetPath the path to the target jar file
+     * @throws IOException if an I/O error occurs
+     */
+    public static void unsignJar(Path jarPath, Path targetPath) throws IOException {
+        try (JarFile in = new JarFile(jarPath.toFile(), false)) {
+            Manifest manifest = in.getManifest();
+            boolean signed;
+            if (manifest != null) {
+                Map<String, Attributes> entries = manifest.getEntries();
+                signed = !entries.isEmpty();
+                // Remove signature entries
+                entries.clear();
+            } else {
+                signed = false;
+                manifest = new Manifest();
+            }
+            if (!signed) {
+                in.close();
+                log.debugf("JAR %s is not signed, skipping unsigning", jarPath);
+                Files.copy(jarPath, targetPath, java.nio.file.StandardCopyOption.REPLACE_EXISTING);
+            } else {
+                log.debugf("JAR %s is signed, removing signature", jarPath);
+                // Reusing buffer for performance reasons
+                byte[] buffer = new byte[10000];
+                try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath))) {
+                    JarEntry manifestEntry = new JarEntry(JarFile.MANIFEST_NAME);
+                    // Set manifest time to epoch to always make the same jar
+                    manifestEntry.setTime(0);
+                    out.putNextEntry(manifestEntry);
+                    manifest.write(out);
+                    out.closeEntry();
+                    Enumeration<JarEntry> entries = in.entries();
+                    while (entries.hasMoreElements()) {
+                        JarEntry entry = entries.nextElement();
+                        String entryName = entry.getName();
+                        if (!entryName.equals(JarFile.MANIFEST_NAME)
+                                && !entryName.equals("META-INF/INDEX.LIST")
+                                && !isSignatureFile(entryName)) {
+                            entry.setCompressedSize(-1);
+                            out.putNextEntry(entry);
+                            try (InputStream inStream = in.getInputStream(entry)) {
+                                int r;
+                                while ((r = inStream.read(buffer)) > 0) {
+                                    out.write(buffer, 0, r);
+                                }
+                            } finally {
+                                out.closeEntry();
+                            }
+                        } else {
+                            log.debugf("Removed %s from %s", entryName, jarPath);
+                        }
+                    }
+                }
+            }
+            // let's make sure we keep the original timestamp
+            Files.setLastModifiedTime(targetPath, Files.getLastModifiedTime(jarPath));
+        }
+    }
+
+    /**
+     * Unsigns a jar file by removing the signature entries.
+     *
+     * @param jarPath the path to the jar file to unsign
+     * @param targetPath the path to the target jar file
+     * @param includePredicate a predicate to determine which entries to include in the target jar
+     * @throws IOException if an I/O error occurs
+     */
+    public static void unsignJar(Path jarPath, Path targetPath, Predicate<String> includePredicate) throws IOException {
+        // Reusing buffer for performance reasons
+        byte[] buffer = new byte[10000];
+        try (JarFile in = new JarFile(jarPath.toFile(), false)) {
+            Manifest manifest = in.getManifest();
+            boolean signed;
+            if (manifest != null) {
+                Map<String, Attributes> entries = manifest.getEntries();
+                signed = !entries.isEmpty();
+                // Remove signature entries
+                entries.clear();
+            } else {
+                signed = false;
+                manifest = new Manifest();
+            }
+            if (signed) {
+                log.debugf("JAR %s is signed, removing signature", jarPath);
+            }
+            try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath))) {
+                JarEntry manifestEntry = new JarEntry(JarFile.MANIFEST_NAME);
+                // Set manifest time to epoch to always make the same jar
+                manifestEntry.setTime(0);
+                out.putNextEntry(manifestEntry);
+                manifest.write(out);
+                out.closeEntry();
+                Enumeration<JarEntry> entries = in.entries();
+                while (entries.hasMoreElements()) {
+                    JarEntry entry = entries.nextElement();
+                    String entryName = entry.getName();
+                    if (includePredicate.test(entryName)
+                            && !entryName.equals(JarFile.MANIFEST_NAME)
+                            && !entryName.equals("META-INF/INDEX.LIST")
+                            && !isSignatureFile(entryName)) {
+                        entry.setCompressedSize(-1);
+                        out.putNextEntry(entry);
+                        try (InputStream inStream = in.getInputStream(entry)) {
+                            int r;
+                            while ((r = inStream.read(buffer)) > 0) {
+                                out.write(buffer, 0, r);
+                            }
+                        } finally {
+                            out.closeEntry();
+                        }
+                    } else {
+                        log.debugf("Removed %s from %s", entryName, jarPath);
+                    }
+                }
+            }
+            // let's make sure we keep the original timestamp
+            Files.setLastModifiedTime(targetPath, Files.getLastModifiedTime(jarPath));
+        }
+    }
+
+    private static boolean isSignatureFile(String entry) {
+        entry = entry.toUpperCase();
+        if (entry.startsWith("META-INF/") && entry.indexOf('/', "META-INF/".length()) == -1) {
+            return entry.endsWith(".SF")
+                    || entry.endsWith(".DSA")
+                    || entry.endsWith(".RSA")
+                    || entry.endsWith(".EC");
+        }
+        return false;
+    }
+}
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java
@@ -43,9 +43,6 @@
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.jar.Attributes;
-import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
-import java.util.jar.JarOutputStream;
 import java.util.jar.Manifest;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -68,6 +65,7 @@
 import io.quarkus.deployment.builditem.QuarkusBuildCloseablesBuildItem;
 import io.quarkus.deployment.builditem.TransformedClassesBuildItem;
 import io.quarkus.deployment.configuration.ClassLoadingConfig;
+import io.quarkus.deployment.pkg.JarUnsigner;
 import io.quarkus.deployment.pkg.PackageConfig;
 import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
 import io.quarkus.deployment.pkg.builditem.BuildSystemTargetBuildItem;
@@ -959,7 +957,7 @@ private void copyDependency(Set<ArtifactKey> parentFirstArtifacts, OutputTargetB
                 } else {
                     // we copy jars for which we remove entries to the same directory
                     // which seems a bit odd to me
-                    filterJarFile(resolvedDep, targetPath, removedFromThisArchive);
+                    JarUnsigner.unsignJar(resolvedDep, targetPath, Predicate.not(removedFromThisArchive::contains));
 
                     var list = new ArrayList<>(removedFromThisArchive);
                     Collections.sort(list);
@@ -1135,7 +1133,6 @@ private void copyLibraryJars(FileSystem runnerZipFs, OutputTargetBuildItem outpu
             TransformedClassesBuildItem transformedClasses, Path libDir,
             StringBuilder classPath, Collection<ResolvedDependency> appDeps, Map<String, List<byte[]>> services,
             Predicate<String> ignoredEntriesPredicate, Set<ArtifactKey> removedDependencies) throws IOException {
-
         for (ResolvedDependency appDep : appDeps) {
 
             // Exclude files that are not jars (typically, we can have XML files here, see https://github.com/quarkusio/quarkus/issues/2852)
@@ -1150,15 +1147,16 @@ private void copyLibraryJars(FileSystem runnerZipFs, OutputTargetBuildItem outpu
                     if (transformedFromThisArchive == null || transformedFromThisArchive.isEmpty()) {
                         final String fileName = appDep.getGroupId() + "." + resolvedDep.getFileName();
                         final Path targetPath = libDir.resolve(fileName);
-                        Files.copy(resolvedDep, targetPath, StandardCopyOption.REPLACE_EXISTING);
+                        // Unsign the jar before copying it
+                        JarUnsigner.unsignJar(resolvedDep, targetPath);
                         classPath.append(" lib/").append(fileName);
                     } else {
                         //we have transformed classes, we need to handle them correctly
                         final String fileName = "modified-" + appDep.getGroupId() + "."
                                 + resolvedDep.getFileName();
                         final Path targetPath = libDir.resolve(fileName);
                         classPath.append(" lib/").append(fileName);
-                        filterJarFile(resolvedDep, targetPath, transformedFromThisArchive);
+                        JarUnsigner.unsignJar(resolvedDep, targetPath, Predicate.not(transformedFromThisArchive::contains));
                     }
                 } else {
                     // This case can happen when we are building a jar from inside the Quarkus repository
@@ -1272,66 +1270,6 @@ private void handleParent(FileSystem runnerZipFs, String fileName, Map<String, S
         }
     }
 
-    static void filterJarFile(Path resolvedDep, Path targetPath, Set<String> transformedFromThisArchive) {
-        try {
-            byte[] buffer = new byte[10000];
-            try (JarFile in = new JarFile(resolvedDep.toFile(), false)) {
-                Manifest manifest = in.getManifest();
-                if (manifest != null) {
-                    // Remove signature entries
-                    manifest.getEntries().clear();
-                } else {
-                    manifest = new Manifest();
-                }
-                try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath))) {
-                    JarEntry manifestEntry = new JarEntry(JarFile.MANIFEST_NAME);
-                    // Set manifest time to epoch to always make the same jar
-                    manifestEntry.setTime(0);
-                    out.putNextEntry(manifestEntry);
-                    manifest.write(out);
-                    out.closeEntry();
-                    Enumeration<JarEntry> entries = in.entries();
-                    while (entries.hasMoreElements()) {
-                        JarEntry entry = entries.nextElement();
-                        String entryName = entry.getName();
-                        if (!transformedFromThisArchive.contains(entryName)
-                                && !entryName.equals(JarFile.MANIFEST_NAME)
-                                && !entryName.equals("META-INF/INDEX.LIST")
-                                && !isSignatureFile(entryName)) {
-                            entry.setCompressedSize(-1);
-                            out.putNextEntry(entry);
-                            try (InputStream inStream = in.getInputStream(entry)) {
-                                int r = 0;
-                                while ((r = inStream.read(buffer)) > 0) {
-                                    out.write(buffer, 0, r);
-                                }
-                            } finally {
-                                out.closeEntry();
-                            }
-                        } else {
-                            log.debugf("Removed %s from %s", entryName, resolvedDep);
-                        }
-                    }
-                }
-                // let's make sure we keep the original timestamp
-                Files.setLastModifiedTime(targetPath, Files.getLastModifiedTime(resolvedDep));
-            }
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        }
-    }
-
-    private static boolean isSignatureFile(String entry) {
-        entry = entry.toUpperCase();
-        if (entry.startsWith("META-INF/") && entry.indexOf('/', "META-INF/".length()) == -1) {
-            return entry.endsWith(".SF")
-                    || entry.endsWith(".DSA")
-                    || entry.endsWith(".RSA")
-                    || entry.endsWith(".EC");
-        }
-        return false;
-    }
-
     /**
      * Manifest generation is quite simple : we just have to push some attributes in manifest.
      * However, it gets a little more complex if the manifest preexists.
diff --git a/core/deployment/src/test/java/io/quarkus/deployment/pkg/JarUnsignerTest.java b/core/deployment/src/test/java/io/quarkus/deployment/pkg/JarUnsignerTest.java
@@ -1,4 +1,4 @@
-package io.quarkus.deployment.pkg.steps;
+package io.quarkus.deployment.pkg;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -16,7 +16,6 @@
 import java.security.cert.CertificateException;
 import java.util.Calendar;
 import java.util.Date;
-import java.util.Set;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
@@ -41,9 +40,9 @@
 import jdk.security.jarsigner.JarSigner;
 
 /**
- * Test for {@link JarResultBuildStep}
+ * Test for {@link JarUnsigner}
  */
-class JarResultBuildStepTest {
+class JarUnsignerTest {
 
     @Test
     void should_unsign_jar_when_filtered(@TempDir Path tempDir) throws Exception {
@@ -58,7 +57,7 @@ void should_unsign_jar_when_filtered(@TempDir Path tempDir) throws Exception {
                 FileOutputStream out = new FileOutputStream(signedJarPath.toFile())) {
             signer.sign(in, out);
         }
-        JarResultBuildStep.filterJarFile(signedJarPath, unsignedJarToTestPath, Set.of("java/lang/Integer.class"));
+        JarUnsigner.unsignJar(signedJarPath, unsignedJarToTestPath, p -> !p.equals("java/lang/Integer.class"));
         try (JarFile jarFile = new JarFile(unsignedJarToTestPath.toFile())) {
             assertThat(jarFile.stream().map(JarEntry::getName)).doesNotContain("META-INF/ECLIPSE_.RSA", "META-INF/ECLIPSE_.SF");
             // Check that the manifest is still present
@@ -76,7 +75,7 @@ void manifestTimeShouldAlwaysBeSetToEpoch(@TempDir Path tempDir) throws Exceptio
         Path initialJar = tempDir.resolve("initial.jar");
         Path filteredJar = tempDir.resolve("filtered.jar");
         archive.as(ZipExporter.class).exportTo(new File(initialJar.toUri()), true);
-        JarResultBuildStep.filterJarFile(initialJar, filteredJar, Set.of("java/lang/Integer.class"));
+        JarUnsigner.unsignJar(initialJar, filteredJar, p -> !p.equals("java/lang/Integer.class"));
         try (JarFile jarFile = new JarFile(filteredJar.toFile())) {
             assertThat(jarFile.stream())
                     .filteredOn(jarEntry -> jarEntry.getName().equals(JarFile.MANIFEST_NAME))
