Signed JCE and providers jars

Bernd Eckenfels ecki at zusammenkunft.net
Mon Feb 4 10:37:46 UTC 2019


The OpenJDK JCA does not do provider signature checking. So you can install your own providers and don’t need to sign them.

Gruss
Bernd
--
http://bernd.eckenfels.net

________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von David Penick <dpenick at gmail.com>
Gesendet: Montag, Februar 4, 2019 11:18 AM
An: security-dev at openjdk.java.net
Betreff: Signed JCE and providers jars

I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar files do not appear to be signed. I’m surprised they work without being signed, but I also haven’t been able to find anyone asking how to get signed versions of the Sun JCE.

How can I get signed versions of the Sun JCE jars, or should I not worry about it, and if so, why not?

Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190204/e8d0efa3/attachment.htm>


More information about the security-dev mailing list