Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8163304 jarsigner -verbose -verify should print the algorithms used to sign the jar
  3. JDK-8168828

Release Note: jarsigner -verbose -verify should print the algorithms used to sign the jar

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: P4
    • Resolution: Delivered
    • Affects Version/s: 6u141, 7u131, 8u121, 9
    • Fix Version/s: None
    • Component/s: security-libs

      Backports

        Description

        The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.

        Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property `jdk.jar.disabledAlgorithms`, it will be labeled with "(weak)".

        For example:
        ```
        - Signed by "CN=weak_signer"
            Digest algorithm: MD2 (weak)
            Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
          Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
            Timestamp digest algorithm: SHA-256
            Timestamp signature algorithm: SHA256withRSA, 2048-bit key
        ```

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: