[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v4]
Alexey Bakhtin
abakhtin at openjdk.org
Wed Nov 23 13:52:30 UTC 2022
On Wed, 23 Nov 2022 10:21:24 GMT, Andrew Haley <aph at openjdk.org> wrote:
> This is scary stuff. Clearly it isn't a backwards-compatible change. I guess the way this works is that JARs timestamped prior to January 01, 2019 are accepted, but only until the signing certificate expires. Right?
The behavior of the SHA-1 signed certificates before January 01, 2019 is not changed. They are still valid even if the signer certificate expires. The changes apply to JARs signed after January 01, 2019
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/154
More information about the jdk8u-dev
mailing list