Signed JCE and providers jars

Bernd Eckenfels ecki at
Mon Feb 4 10:37:46 UTC 2019

The OpenJDK JCA does not do provider signature checking. So you can install your own providers and don’t need to sign them.


Von: security-dev <security-dev-bounces at> im Auftrag von David Penick <dpenick at>
Gesendet: Montag, Februar 4, 2019 11:18 AM
An: security-dev at
Betreff: Signed JCE and providers jars

I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar files do not appear to be signed. I’m surprised they work without being signed, but I also haven’t been able to find anyone asking how to get signed versions of the Sun JCE.

How can I get signed versions of the Sun JCE jars, or should I not worry about it, and if so, why not?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list