Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8163304

jarsigner -verbose -verify should print the algorithms used to sign the jar

    Details

    • Subcomponent:
    • Resolved In Build:
      b142
    • Verification:
      Verified

      Backports

        Description

        It would be useful to emit the digest and signature algorithms that were used to sign the jar file.

          Issue Links

            Activity

            Hide
            weijun Weijun Wang added a comment -
            Both -digestalg and -sigalg info?

            Since a jar file can be signed multiple times and the content can change between the signings, the above info can be different for different files. The current jarsigner -verbose output only lists files each on one line. It might be better to add the new info into jarsigner -verbose -certs.

            I can think of something like this:

              sm 8 Mon Aug 08 22:04:22 CST 2016 A (and 3 more)

            + entry is signed with digest algorithm SHA-1 and signature algorithm SHA1withRSA
                   X.509, CN=Me
                   [certificate expired on 6/1/15, 9:48 AM]
                   [CertPath not validated: Path does not chain with any of the trust anchors]

            - [entry was signed on 8/8/16, 10:05 PM]
            + [entry was signed on 8/8/16, 10:05 PM with digest algorithm SHA-256 and signature algorithm SHA256withRSA]
                   X.509, CN=old
                   [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM]
                   X.509, CN=CA
                   [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM]
                   [CertPath not validated: Path does not chain with any of the trust anchors]

            Here, no timestamp for CN=Me (a self-signed cert), has timestamp for CN=old (which is signed by CN=CA). New digestalg and sigalg info are added/merged.

            Are we also interested in digestalg and sigalg for the timestamp?
            Show
            weijun Weijun Wang added a comment - Both -digestalg and -sigalg info? Since a jar file can be signed multiple times and the content can change between the signings, the above info can be different for different files. The current jarsigner -verbose output only lists files each on one line. It might be better to add the new info into jarsigner -verbose -certs. I can think of something like this:   sm 8 Mon Aug 08 22:04:22 CST 2016 A (and 3 more) + entry is signed with digest algorithm SHA-1 and signature algorithm SHA1withRSA        X.509, CN=Me        [certificate expired on 6/1/15, 9:48 AM]        [CertPath not validated: Path does not chain with any of the trust anchors] - [entry was signed on 8/8/16, 10:05 PM] + [entry was signed on 8/8/16, 10:05 PM with digest algorithm SHA-256 and signature algorithm SHA256withRSA]        X.509, CN=old        [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM]        X.509, CN=CA        [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM]        [CertPath not validated: Path does not chain with any of the trust anchors] Here, no timestamp for CN=Me (a self-signed cert), has timestamp for CN=old (which is signed by CN=CA). New digestalg and sigalg info are added/merged. Are we also interested in digestalg and sigalg for the timestamp?
            Hide
            weijun Weijun Wang added a comment - - edited
            A standalone tool SigningHistory.java is attached to look at signature information inside a jar. Run with jdk6u+. For jdk9, please add "--add-exports java.base/sun.security.pkcs=ALL-UNNAMED --add-exports java.base/sun.security.timestamp=ALL-UNNAMED --add-exports java.base/sun.security.util=ALL-UNNAMED --add-exports java.base/sun.security.x509=ALL-UNNAMED" to the command line because internal APIs are used.

            This tool can also added to jdk9/dev and called when "jarsigner -history <jarfile>" is called. Jarsigner will only print out the signing history without doing anything else.
            Show
            weijun Weijun Wang added a comment - - edited A standalone tool SigningHistory.java is attached to look at signature information inside a jar. Run with jdk6u+. For jdk9, please add "--add-exports java.base/sun.security.pkcs=ALL-UNNAMED --add-exports java.base/sun.security.timestamp=ALL-UNNAMED --add-exports java.base/sun.security.util=ALL-UNNAMED --add-exports java.base/sun.security.x509=ALL-UNNAMED" to the command line because internal APIs are used. This tool can also added to jdk9/dev and called when "jarsigner -history <jarfile>" is called. Jarsigner will only print out the signing history without doing anything else.
            Hide
            weijun Weijun Wang added a comment -
            SigningHistory.java updated to print a usage line when args.length != 1.
            Show
            weijun Weijun Wang added a comment - SigningHistory.java updated to print a usage line when args.length != 1.
            Hide
            mullan Sean Mullan added a comment -
            Can SigningHistory be a JAR so users don't have to compile it?
            Show
            mullan Sean Mullan added a comment - Can SigningHistory be a JAR so users don't have to compile it?
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/7a25dbe45e61
            User: weijun
            Date: 2016-10-20 01:26:31 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/7a25dbe45e61 User: weijun Date: 2016-10-20 01:26:31 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/7a25dbe45e61
            User: lana
            Date: 2016-10-26 20:16:10 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/7a25dbe45e61 User: lana Date: 2016-10-26 20:16:10 +0000
            Hide
            afomin Alexander Fomin added a comment -
            UR SQE OK to take the fix to CPU17_01 as far as it should be aligned with JDK-8167591 already integrated in the release.
            Show
            afomin Alexander Fomin added a comment - UR SQE OK to take the fix to CPU17_01 as far as it should be aligned with JDK-8167591 already integrated in the release.

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                mullan Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: