Strip out jar signatures
diff --git a/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java b/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
index 3448970..12d1480 100644
--- a/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
+++ b/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
@@ -81,6 +81,11 @@
// TODO: the name may be changed in transformation
final String path = updatePath(oldEntry.getName());
+ if (skip(path)) {
+ IO.copy(zipInputStream, skipped);
+ continue;
+ }
+
/*
* If this entry has been patched, skip it
* We will add the patched version at the end
@@ -137,6 +142,19 @@
}
}
+ /**
+ * Skip signed jar public key files. We most definitely
+ * have tampered with the jar.
+ */
+ private boolean skip(final String name) {
+ if (name.startsWith("META-INF/")) {
+ if (name.endsWith(".SF")) return true;
+ if (name.endsWith(".DSA")) return true;
+ if (name.endsWith(".RSA")) return true;
+ }
+ return false;
+ }
+
private String updatePath(final String name) {
return name.replace("resources/javax.faces","resources/jakarta.faces");
}