SpringBoot JarFile implementation calls close early which breaks verification of signed unpacked nested jars on Oracle JDK

See #28837. A work-around should be to set the unpack flag but this doesn't work since we still wrap things.

Comment From: wilkinsona

For reasons that I don't yet understand, this fix doesn't work once spring-boot-loader-tests-signed-jar-unpack-app has been upgraded to Bouncycastle 1.71:

Exception in thread "main" java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:722)
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:642)
    at org.springframework.boot.loaderapp.LoaderSignedJarTestApplication.main(LoaderSignedJarTestApplication.java:31)
    ... 8 more
Caused by: java.lang.IllegalStateException: zip file closed
    at java.base/java.util.zip.ZipFile.ensureOpen(ZipFile.java:831)
    at java.base/java.util.zip.ZipFile.getManifestName(ZipFile.java:1057)
    at java.base/java.util.zip.ZipFile$1.getManifestName(ZipFile.java:1100)
    at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:461)
    at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:317)
    at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:260)
    at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:130)
    at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:190)
    at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:218)
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:718)
    ... 10 more

Comment From: wilkinsona

It's a mistake in the Bouncy Castle upgrade. It didn't change the requiresUnpack pattern.

Comment From: philwebb

I'm afraid this fix caused several regressions to be reported. We're going to need to revert it and find a different approach. I've opened #32106.