Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8275887

jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 18
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None

      Description

      For example, this is a JAR signed with a 1024-bit key:

      jarsigner -signedjar signeda.jar -sigalg SHA256withRSA a.jar e1
      jar signed.

      Warning:
      The SHA-256 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
      The SHA256withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
      The RSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
      The signer certificate will expire within six months.
      No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-23).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mullan Sean Mullan
              Reporter:
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: