[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v4]

Alexey Bakhtin abakhtin at openjdk.org
Wed Nov 23 13:52:30 UTC 2022


On Wed, 23 Nov 2022 10:21:24 GMT, Andrew Haley <aph at openjdk.org> wrote:

> This is scary stuff. Clearly it isn't a backwards-compatible change. I guess the way this works is that JARs timestamped prior to January 01, 2019 are accepted, but only until the signing certificate expires. Right?

The behavior of the SHA-1 signed certificates before January 01, 2019 is not changed. They are still valid even if the signer certificate expires. The changes apply to JARs signed after January 01, 2019

-------------

PR: https://git.openjdk.org/jdk8u-dev/pull/154


More information about the jdk8u-dev mailing list