Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
P3
-
Resolution: Fixed
-
Affects Version/s: 18
-
Fix Version/s: 18
-
Component/s: security-libs
-
Labels:None
-
Subcomponent:
-
Resolved In Build:b25
Description
For example, this is a JAR signed with a 1024-bit key:
jarsigner -signedjar signeda.jar -sigalg SHA256withRSA a.jar e1
jar signed.
Warning:
The SHA-256 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA256withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
The RSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-23).
jarsigner -signedjar signeda.jar -sigalg SHA256withRSA a.jar e1
jar signed.
Warning:
The SHA-256 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA256withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
The RSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-23).
Attachments
Issue Links
- blocks
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
JDK-8269039 Disable SHA-1 Signed JARs
-
- Resolved
-
