From 81c75c04d6a05531327b1e6303eb2ea857c0337b Mon Sep 17 00:00:00 2001
From: George Gastaldi <gegastaldi@gmail.com>
Date: Wed, 10 Apr 2024 21:19:34 -0300
Subject: [PATCH] Unsign modified dependency JARs when filtering

---
 .../pkg/steps/JarResultBuildStep.java         | 60 ++++++++++---------
 1 file changed, 32 insertions(+), 28 deletions(-)

diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java
index ade96118461b7..74c14596a54be 100644
--- a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java
+++ b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java
@@ -5,7 +5,6 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedWriter;
 import java.io.ByteArrayOutputStream;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
@@ -42,12 +41,12 @@
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
 import java.util.jar.Manifest;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipFile;
-import java.util.zip.ZipOutputStream;
 
 import org.jboss.logging.Logger;
 
@@ -92,14 +91,14 @@
 
 /**
  * This build step builds both the thin jars and uber jars.
- *
+ * <p>
  * The way this is built is a bit convoluted. In general, we only want a single one built,
  * as determined by the {@link PackageConfig} (unless the config explicitly asks for both of them)
- *
+ * <p>
  * However, we still need an extension to be able to ask for a specific one of these despite the config,
  * e.g. if a serverless environment needs an uberjar to build its deployment package then we need
  * to be able to provide this.
- *
+ * <p>
  * To enable this we have two build steps that strongly produce the respective artifact type build
  * items, but not a {@link ArtifactResultBuildItem}. We then
  * have another two build steps that only run if they are configured to consume these explicit
@@ -929,7 +928,7 @@ private void copyDependency(Set<ArtifactKey> parentFirstArtifacts, OutputTargetB
                 } else {
                     // we copy jars for which we remove entries to the same directory
                     // which seems a bit odd to me
-                    filterZipFile(resolvedDep, targetPath, removedFromThisArchive);
+                    filterJarFile(resolvedDep, targetPath, removedFromThisArchive);
                 }
             }
         }
@@ -1123,7 +1122,7 @@ private void copyLibraryJars(FileSystem runnerZipFs, OutputTargetBuildItem outpu
                                 + resolvedDep.getFileName();
                         final Path targetPath = libDir.resolve(fileName);
                         classPath.append(" lib/").append(fileName);
-                        filterZipFile(resolvedDep, targetPath, transformedFromThisArchive);
+                        filterJarFile(resolvedDep, targetPath, transformedFromThisArchive);
                     }
                 } else {
                     // This case can happen when we are building a jar from inside the Quarkus repository
@@ -1237,24 +1236,33 @@ private void handleParent(FileSystem runnerZipFs, String fileName, Map<String, S
         }
     }
 
-    private void filterZipFile(Path resolvedDep, Path targetPath, Set<String> transformedFromThisArchive) {
-
+    private void filterJarFile(Path resolvedDep, Path targetPath, Set<String> transformedFromThisArchive) {
         try {
-            byte[] buffer = new byte[10000];
-            try (ZipFile in = new ZipFile(resolvedDep.toFile())) {
-                try (ZipOutputStream out = new ZipOutputStream(new FileOutputStream(targetPath.toFile()))) {
-                    Enumeration<? extends ZipEntry> entries = in.entries();
+            try (JarFile in = new JarFile(resolvedDep.toFile(), false)) {
+                Manifest manifest = in.getManifest();
+                if (manifest != null) {
+                    // Remove signature entries
+                    manifest.getEntries().clear();
+                } else {
+                    manifest = new Manifest();
+                }
+                try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath), manifest)) {
+                    Enumeration<JarEntry> entries = in.entries();
                     while (entries.hasMoreElements()) {
-                        ZipEntry entry = entries.nextElement();
-                        if (!transformedFromThisArchive.contains(entry.getName())) {
+                        JarEntry entry = entries.nextElement();
+                        if (!transformedFromThisArchive.contains(entry.getName())
+                                && !entry.getName().equals(JarFile.MANIFEST_NAME)
+                                && !entry.getName().equals("META-INF/INDEX.LIST")
+                                && !entry.getName().endsWith(".SF")
+                                && !entry.getName().endsWith(".DSA")
+                                && !entry.getName().endsWith(".RSA")) {
                             entry.setCompressedSize(-1);
                             out.putNextEntry(entry);
                             try (InputStream inStream = in.getInputStream(entry)) {
-                                int r = 0;
-                                while ((r = inStream.read(buffer)) > 0) {
-                                    out.write(buffer, 0, r);
-                                }
+                                inStream.transferTo(out);
                             }
+                        } else {
+                            log.debugf("Removed %s from %s", entry.getName(), resolvedDep);
                         }
                     }
                 }
@@ -1262,7 +1270,7 @@ private void filterZipFile(Path resolvedDep, Path targetPath, Set<String> transf
                 Files.setLastModifiedTime(targetPath, Files.getLastModifiedTime(resolvedDep));
             }
         } catch (IOException e) {
-            throw new RuntimeException(e);
+            throw new UncheckedIOException(e);
         }
     }
 
@@ -1591,12 +1599,8 @@ public boolean downloadIfNecessary() {
                         "https://repo.maven.apache.org/maven2/org/vineflower/vineflower/%s/vineflower-%s.jar",
                         context.versionStr, context.versionStr);
                 try (BufferedInputStream in = new BufferedInputStream(new URL(downloadURL).openStream());
-                        FileOutputStream fileOutputStream = new FileOutputStream(decompilerJar.toFile())) {
-                    byte[] dataBuffer = new byte[1024];
-                    int bytesRead;
-                    while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) {
-                        fileOutputStream.write(dataBuffer, 0, bytesRead);
-                    }
+                        OutputStream fileOutputStream = Files.newOutputStream(decompilerJar)) {
+                    in.transferTo(fileOutputStream);
                     return true;
                 } catch (IOException e) {
                     log.error("Unable to download Vineflower from " + downloadURL, e);