Some offhand questions

Cesar Soares Lucas Divino.Cesar at microsoft.com
Tue Aug 27 17:19:54 UTC 2024 

I just inspected the top 10 used artifacts in Maven Central and none of the jars are signed..

I was led to ask this question here because I noticed the warning in the JVM console when trying the EA build on some internal projects. I'll check with our product teams to find the reason why they are shipping signed jars and whether they can drop that.


Thanks
Cesar
________________________________________
From: leyden-dev <leyden-dev-retn at openjdk.org> on behalf of Ioi Lam <ioi.lam at oracle.com>
Sent: Monday, August 26, 2024 2:01 PM
To: Leyden-dev Maillist
Subject: Re: Some offhand questions

Many apps used signed jars "accidentally". When signed jars were fashionable, some lib developers signed their jars. Many of these libraries become orphaned and remain signed for no particular reason.

The reason that CDS doesn't archive signed classes is because we aren't sure if we skip the whole signature checking process at run time, we can still ensure that all APIs related to code signing (eg Class.getSigners) can return the expected value.

Cesar, could you confirm if the class signatures are actually used for something useful?

If not, I think maybe we can introduce a new execution mode, to simply ignore code signatures.

Or drop support for signed jars as Alan mentioned below.

Thanks
Ioi



-----------

 From: leyden-dev <leyden-dev-retn at openjdk.org> on behalf of Alan Bateman <alan.bateman at oracle.com>
Sent: Saturday, August 24, 2024 7:23 AM
To: Cesar Soares Lucas <Divino.Cesar at microsoft.com>; Leyden-dev Maillist <leyden-dev at openjdk.org>
Cc: Brian Stafford <Brian.Stafford at microsoft.com>; Mat Carter <Matthew.Carter at microsoft.com>
Subject: Re: Some offhand questions



On 23/08/2024 23:04, Cesar Soares Lucas wrote:

Hello!

I've a few questions that I'd like to ask your opinion about.

- Signed Jars: As far as I understand, we currently don't include classes from signed jars in the CDS archive. What is the reason for that? I had the impression that being able to archive such classes would be important given that many .jars are signed?!



As a general point, signed JARs on the class path or module path aren't all that useful. It's very different to a signed JAR loaded from a remote site where the JDK would need a lot more infrastructure to validation certificate chains. There has been consideration on and off for many years about dropping the support for JAR files on the class path (and module path). The nice thing about dropping this (only from the class path and module path) is that it would avoid executing a lot of problematic security code when open JAR files.

-Alan

More information about the leyden-dev mailing list