Jar's CodeSigner null on Java 10, non-null on Java 8

[Scott Palmer]

Thanks Alan.  I think this is exactly the issue I was hitting.  

Is it currently not possible to ensure modules have not been tampered with?  I don’t think my application will ever be properly modularized anyway, so I will simply make sure those jars are only on the class path.  But I’m a little surprised that a security issue like this would linger for so long.

I guess with the removal of applet and web start support this issue wasn’t deemed as serious as it otherwise would be.

Regards,

Scott

> On Oct 7, 2018, at 3:49 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
> 
> On 06/10/2018 06:21, Scott Palmer wrote:
>> As is too often the case I discovered the difference while trying to isolate a test case. With Java 10 I had extra JVM args to deal with module path and that appeared to cause the problem.
> There is very limited support for signing of modules and signed modular JARs. JDK-8194930 [1] tracks the issue of the protection domain not including the signing info but there are other issues, mostly at link-time where jlink will report an error if you attempt to creating a run-time image containing a signed module.
> 
> -Alan
> 
> [1] https://bugs.openjdk.java.net/browse/JDK-8194930