[9] Review request: JDK-8169443 Deprecate Java Packager Blob Signing

Chris Bensen chris.bensen at oracle.com
Wed Dec 14 00:27:09 UTC 2016 

The “new” was introduced for some reason in JDK 1.8 documentation but this has been there since JDK 1.0 documentation which I can’t find but it’s also there since JDK 2.0 [1].

The deployment guide will be updated.

Chris

[1] http://docs.oracle.com/javafx/2/deployment/javafx_ant_task_reference001.htm <http://docs.oracle.com/javafx/2/deployment/javafx_ant_task_reference001.htm>


> On Dec 13, 2016, at 3:52 PM, Stefan Fuchs <snfuchs at gmx.de> wrote:
> 
> Well, in Java 8 <fx:signjar> is part of the javafx_ant_task reference [1]
> and advertised as being the new and more efficient way to sign jars [2]
> 
> Anyway, perhaps the deprecation message for <fx:signjar> could be enhanced to point to https://ant.apache.org/manual/Tasks/signjar.html as the recommended way to sign jars.
> The Deployment Guide should be updated as well.
> 
> - Stefan
> 
> 
> [1] http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/javafx_ant_task_reference.html#CIADDAEE
> [2] http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/packaging.html#BABJGFBH
> 
> 
> 
> David DeHaven wrote:
>> This is only signing via the <fx:signjar> mechanism, which was never fully supported or part of any standard. To sign webstart applications (even FX apps) just use jarsigner or the associated ant signjar task.
>> 
>> -DrD-
>> 
>> [1] https://ant.apache.org/manual/Tasks/signjar.html
>> 
>>> On Dec 13, 2016, at 11:02 AM, Stefan Fuchs <snfuchs at gmx.de> wrote:
>>> 
>>> Hi Chris,
>>> 
>>> well I think reason number 1 is not correct. The definition of self signed depends on who created the signing key. If you created it yourself, it is a self signed jar and will rightfully be blocked.
>>> If you however obtained the signing key from a Certification Authority, that java accepts, it is not a self signed jar and will not be blocked.
>>> This is a perfectly valid usecase for fxsign jar.
>>> 
>>> For the 2nd reason: I don't think many users will go modular for Webstart Applications. Normally you simply pack all your classes in a single big jar-file (and perhaps a second, if you use a preloader).
>>> This avoids various network round trips, when the application starts and makes deployment much easier.
>>> 
>>> 
>>> Stefan
>>> 
>>>> Hi Stefan,
>>>> 
>>>> Yes, it is being deprecated. It will continue to function as it has. Two main reasons for the deprecation are:
>>>> 
>>>> 1. Self signed jars are blocked and sign as blob is a self signed jars.
>>>> 
>>>> 2. There will be a replacement for modules that will be better.
>>>> 
>>>> Chris
>>>> 
>>>> 
>>>>> On Dec 12, 2016, at 11:56 PM, Stefan Fuchs <snfuchs at gmx.de> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> so blog signing as deprecated.
>>>>> 
>>>>> What are the reasons for deprecating blog signing? Are there alternatives?
>>>>> How do I sign a webstart application?
>>>>> 
>>>>> Stefan
>>>>> 
>>>>>> David,
>>>>>> 
>>>>>> Please review these changes to deprecate the blob signing from the Java Packager.
>>>>>> 
>>>>>> JIRA: https://bugs.openjdk.java.net/browse/JDK-8169443 <https://bugs.openjdk.java.net/browse/JDK-8169443>
>>>>>> Webrev: http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/ <http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/>
>>>>>> 
>>>>>> Chris
>> 
>

More information about the openjfx-dev mailing list