Some offhand questions

Alan Bateman alan.bateman at oracle.com
Tue Aug 27 06:36:32 UTC 2024


On 26/08/2024 22:01, Ioi Lam wrote:
> *:*
> *
> *
> *The reason that CDS doesn't archive signed classes is because we 
> aren't sure if we skip the whole signature checking process at run 
> time, we can still ensure that all APIs related to code signing (eg 
> Class.getSigners) can return the expected value.*
>
Just to add add that this was an issue when jlink was introduced in JDK 
9 too. There was exploration into persisting the signer information into 
the runtime image so that signer information is available at runtime if 
needed. In the end, it didn't go too far and jlink now errors if you 
attempt to link in a module that is signed, need to use 
--ignore-signing-information to drop the signer information at link time.

Probably time to have another go as dropping signed JAR support from the 
class path and module path as it's too troublesome and don't do what 
people think.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20240827/fe87591e/attachment.htm>


More information about the leyden-dev mailing list