Write signature files to uber jars to for Oracle Java 17 verification

Update Gradle and Maven plugins to write an empty `META-INF/BOOT.SF`
file whenever there is a nested signed jar.

This update allows Oracle Java 17 to correctly verify the nested JARs.
The file is required because `JarVerifier` has code roughly equivalent
to:

	if (!jarManifestNameChecked && SharedSecrets
			.getJavaUtilZipFileAccess().getManifestName(jf, true) == null) {
    	throw new JarException("The JCE Provider " + jarURL.toString() +
    		" is not signed.");
	}

The `SharedSecrets.getJavaUtilZipFileAccess().getManifestName(jf, true)`
call ends up in `ZipFile.getManifestName(onlyIfSignatureRelatedFiles)`
which is a private method that we cannot override in our `NestedJarFile`
subclass. By writing an empty `.SF` file we ensure that the `Manifest`
is always returned because there are always "signature related files".

Fixes gh-28837

Author: philwebb

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootArchiveSupport.java

@@ -123,12 +123,13 @@ private String determineSpringBootVersion() {
 	}
 
 	CopyAction createCopyAction(Jar jar, ResolvedDependencies resolvedDependencies,
-			LoaderImplementation loaderImplementation) {
-		return createCopyAction(jar, resolvedDependencies, loaderImplementation, null, null);
+			LoaderImplementation loaderImplementation, boolean supportsSignatureFile) {
+		return createCopyAction(jar, resolvedDependencies, loaderImplementation, supportsSignatureFile, null, null);
 	}
 
 	CopyAction createCopyAction(Jar jar, ResolvedDependencies resolvedDependencies,
-			LoaderImplementation loaderImplementation, LayerResolver layerResolver, String layerToolsLocation) {
+			LoaderImplementation loaderImplementation, boolean supportsSignatureFile, LayerResolver layerResolver,
+			String layerToolsLocation) {
 		File output = jar.getArchiveFile().get().getAsFile();
 		Manifest manifest = jar.getManifest();
 		boolean preserveFileTimestamps = jar.isPreserveFileTimestamps();
@@ -143,7 +144,8 @@ CopyAction createCopyAction(Jar jar, ResolvedDependencies resolvedDependencies,
 		String encoding = jar.getMetadataCharset();
 		CopyAction action = new BootZipCopyAction(output, manifest, preserveFileTimestamps, dirMode, fileMode,
 				includeDefaultLoader, layerToolsLocation, requiresUnpack, exclusions, launchScript, librarySpec,
-				compressionResolver, encoding, resolvedDependencies, layerResolver, loaderImplementation);
+				compressionResolver, encoding, resolvedDependencies, supportsSignatureFile, layerResolver,
+				loaderImplementation);
 		return jar.isReproducibleFileOrder() ? new ReproducibleOrderingCopyAction(action) : action;
 	}
 

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootJar.java

@@ -147,10 +147,10 @@ protected CopyAction createCopyAction() {
 		if (!isLayeredDisabled()) {
 			LayerResolver layerResolver = new LayerResolver(this.resolvedDependencies, this.layered, this::isLibrary);
 			String layerToolsLocation = this.layered.getIncludeLayerTools().get() ? LIB_DIRECTORY : null;
-			return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, layerResolver,
-					layerToolsLocation);
+			return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, true,
+					layerResolver, layerToolsLocation);
 		}
-		return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation);
+		return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, true);
 	}
 
 	@Override

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootWar.java

@@ -121,10 +121,10 @@ protected CopyAction createCopyAction() {
 		if (!isLayeredDisabled()) {
 			LayerResolver layerResolver = new LayerResolver(this.resolvedDependencies, this.layered, this::isLibrary);
 			String layerToolsLocation = this.layered.getIncludeLayerTools().get() ? LIB_DIRECTORY : null;
-			return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, layerResolver,
-					layerToolsLocation);
+			return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, false,
+					layerResolver, layerToolsLocation);
 		}
-		return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation);
+		return this.support.createCopyAction(this, this.resolvedDependencies, loaderImplementation, false);
 	}
 
 	@Override

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootZipCopyAction.java

@@ -111,6 +111,8 @@ class BootZipCopyAction implements CopyAction {
 
 	private final ResolvedDependencies resolvedDependencies;
 
+	private final boolean supportsSignatureFile;
+
 	private final LayerResolver layerResolver;
 
 	private final LoaderImplementation loaderImplementation;
@@ -119,7 +121,7 @@ class BootZipCopyAction implements CopyAction {
 			boolean includeDefaultLoader, String layerToolsLocation, Spec<FileTreeElement> requiresUnpack,
 			Spec<FileTreeElement> exclusions, LaunchScriptConfiguration launchScript, Spec<FileCopyDetails> librarySpec,
 			Function<FileCopyDetails, ZipCompression> compressionResolver, String encoding,
-			ResolvedDependencies resolvedDependencies, LayerResolver layerResolver,
+			ResolvedDependencies resolvedDependencies, boolean supportsSignatureFile, LayerResolver layerResolver,
 			LoaderImplementation loaderImplementation) {
 		this.output = output;
 		this.manifest = manifest;
@@ -135,6 +137,7 @@ class BootZipCopyAction implements CopyAction {
 		this.compressionResolver = compressionResolver;
 		this.encoding = encoding;
 		this.resolvedDependencies = resolvedDependencies;
+		this.supportsSignatureFile = supportsSignatureFile;
 		this.layerResolver = layerResolver;
 		this.loaderImplementation = loaderImplementation;
 	}
@@ -302,6 +305,7 @@ private String getParentDirectory(String name) {
 		void finish() throws IOException {
 			writeLoaderEntriesIfNecessary(null);
 			writeJarToolsIfNecessary();
+			writeSignatureFileIfNecessary();
 			writeClassPathIndexIfNecessary();
 			writeNativeImageArgFileIfNecessary();
 			// We must write the layer index last
@@ -351,6 +355,22 @@ private void writeJarModeLibrary(String location, JarModeLibrary library) throws
 			}
 		}
 
+		private void writeSignatureFileIfNecessary() throws IOException {
+			if (BootZipCopyAction.this.supportsSignatureFile && hasSignedLibrary()) {
+				writeEntry("META-INF/BOOT.SF", (out) -> {
+				}, false);
+			}
+		}
+
+		private boolean hasSignedLibrary() throws IOException {
+			for (FileCopyDetails writtenLibrary : this.writtenLibraries.values()) {
+				if (FileUtils.isSignedJarFile(writtenLibrary.getFile())) {
+					return true;
+				}
+			}
+			return false;
+		}
+
 		private void writeClassPathIndexIfNecessary() throws IOException {
 			Attributes manifestAttributes = BootZipCopyAction.this.manifest.getAttributes();
 			String classPathIndex = (String) manifestAttributes.get("Spring-Boot-Classpath-Index");

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/test/java/org/springframework/boot/gradle/tasks/bundling/BootJarIntegrationTests.java

@@ -16,12 +16,15 @@
 
 package org.springframework.boot.gradle.tasks.bundling;
 
+import java.io.File;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.jar.JarFile;
 
 import org.gradle.testkit.runner.BuildResult;
+import org.gradle.testkit.runner.TaskOutcome;
 import org.junit.jupiter.api.TestTemplate;
 
 import org.springframework.boot.gradle.junit.GradleCompatibility;
@@ -42,6 +45,15 @@ class BootJarIntegrationTests extends AbstractBootArchiveIntegrationTests {
 		super("bootJar", "BOOT-INF/lib/", "BOOT-INF/classes/", "BOOT-INF/");
 	}
 
+	@TestTemplate
+	void signed() throws Exception {
+		assertThat(this.gradleBuild.build("bootJar").task(":bootJar").getOutcome()).isEqualTo(TaskOutcome.SUCCESS);
+		File jar = new File(this.gradleBuild.getProjectDir(), "build/libs").listFiles()[0];
+		try (JarFile jarFile = new JarFile(jar)) {
+			assertThat(jarFile.getEntry("META-INF/BOOT.SF")).isNotNull();
+		}
+	}
+
 	@TestTemplate
 	void whenAResolvableCopyOfAnUnresolvableConfigurationIsResolvedThenResolutionSucceeds() {
 		this.gradleBuild.expectDeprecationWarningsWithAtLeastVersion("8.0").build("build");

spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/test/resources/org/springframework/boot/gradle/tasks/bundling/BootJarIntegrationTests-signed.gradle

@@ -0,0 +1,17 @@
+plugins {
+	id 'java'
+	id 'org.springframework.boot' version '{version}'
+}
+
+bootJar {
+	mainClass = 'com.example.Application'
+}
+
+repositories {
+	mavenCentral()
+	maven { url "file:repository" }
+}
+
+dependencies {
+	implementation("org.bouncycastle:bcprov-jdk18on:1.76")
+}

spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/main/java/org/springframework/boot/loader/tools/FileUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,9 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.util.jar.Attributes;
+import java.util.jar.JarFile;
+import java.util.jar.Manifest;
 
 /**
  * Utilities for manipulating files and directories in Spring Boot tooling.
@@ -61,4 +64,31 @@ public static String sha1Hash(File file) throws IOException {
 		return Digest.sha1(InputStreamSupplier.forFile(file));
 	}
 
+	/**
+	 * Returns {@code true} if the given jar file has been signed.
+	 * @param file the file to check
+	 * @return if the file has been signed
+	 * @throws IOException on IO error
+	 */
+	public static boolean isSignedJarFile(File file) throws IOException {
+		try (JarFile jarFile = new JarFile(file)) {
+			if (hasDigestEntry(jarFile.getManifest())) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private static boolean hasDigestEntry(Manifest manifest) {
+		return (manifest != null) && manifest.getEntries().values().stream().anyMatch(FileUtils::hasDigestName);
+	}
+
+	private static boolean hasDigestName(Attributes attributes) {
+		return attributes.keySet().stream().anyMatch(FileUtils::isDigestName);
+	}
+
+	private static boolean isDigestName(Object name) {
+		return String.valueOf(name).toUpperCase().endsWith("-DIGEST");
+	}
+
 }

spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/main/java/org/springframework/boot/loader/tools/Packager.java

@@ -217,6 +217,7 @@ private void write(JarFile sourceJar, AbstractJarWriter writer, PackagedLibrarie
 		if (isLayered()) {
 			writeLayerIndex(writer);
 		}
+		writeSignatureFileIfNecessary(writtenLibraries, writer);
 	}
 
 	private void writeLoaderClasses(AbstractJarWriter writer) throws IOException {
@@ -263,6 +264,10 @@ private void writeLayerIndex(AbstractJarWriter writer) throws IOException {
 		}
 	}
 
+	protected void writeSignatureFileIfNecessary(Map<String, Library> writtenLibraries, AbstractJarWriter writer)
+			throws IOException {
+	}
+
 	private EntryTransformer getEntityTransformer() {
 		if (getLayout() instanceof RepackagingLayout repackagingLayout) {
 			return new RepackagingEntryTransformer(repackagingLayout);

spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/main/java/org/springframework/boot/loader/tools/Repackager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.attribute.FileTime;
+import java.util.Map;
 import java.util.jar.JarFile;
 
 import org.springframework.util.Assert;
@@ -46,6 +47,24 @@ public Repackager(File source) {
 		super(source);
 	}
 
+	@Override
+	protected void writeSignatureFileIfNecessary(Map<String, Library> writtenLibraries, AbstractJarWriter writer)
+			throws IOException {
+		if (getSource().getName().toLowerCase().endsWith(".jar") && hasSignedLibrary(writtenLibraries)) {
+			writer.writeEntry("META-INF/BOOT.SF", (entryWriter) -> {
+			});
+		}
+	}
+
+	private boolean hasSignedLibrary(Map<String, Library> writtenLibraries) throws IOException {
+		for (Library library : writtenLibraries.values()) {
+			if (!(library instanceof JarModeLibrary) && FileUtils.isSignedJarFile(library.getFile())) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * Sets if source files should be backed up when they would be overwritten.
 	 * @param backupSource if source files should be backed up

spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/test/java/org/springframework/boot/loader/tools/AbstractPackagerTests.java

@@ -660,7 +660,7 @@ private File createLibraryJar() throws IOException {
 		return library.getFile();
 	}
 
-	private Library newLibrary(File file, LibraryScope scope, boolean unpackRequired) {
+	protected Library newLibrary(File file, LibraryScope scope, boolean unpackRequired) {
 		return new Library(null, file, scope, null, unpackRequired, false, true);
 	}
 
@@ -687,7 +687,7 @@ protected boolean hasPackagedLauncherClasses() throws IOException {
 				&& hasPackagedEntry("org/springframework/boot/loader/launch/JarLauncher.class");
 	}
 
-	private boolean hasPackagedEntry(String name) throws IOException {
+	protected boolean hasPackagedEntry(String name) throws IOException {
 		return getPackagedEntry(name) != null;
 	}