Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8229775

Incorrect warning when jar was signed with -sectionsonly

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 14
    • Component/s: security-libs
    • Labels:
      None

      Description

      "jarsigner -verify" is able to look into the the .SF file inside a signed jar file and print out what algorithms were used at signing, even if the algorithms are now considered weak and the signed jar is treated unsigned. It does this by searching for a header named something like "SHA-256-Digest-Manifest". However, if -sectionsonly is used at signing, this header does not exist.

        Attachments

          Activity

            People

            • Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: