Signed JCE and providers jars

Bradford Wetmore bradford.wetmore at
Mon Feb 4 22:08:56 UTC 2019

Hi David,

On 2/4/2019 2:08 AM, David Penick wrote:
> I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve 
> noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar 
> files do not appear to be signed. I’m surprised they work without being 
> signed, but I also haven’t been able to find anyone asking how to get 
> signed versions of the Sun JCE.
> How can I get signed versions of the Sun JCE jars, or should I not worry 
> about it, and if so, why not?

In Oracle's JDK 8 and earlier releases, the same rules still apply in 
that the Oracle Framework and Providers (previously called the "Sun 
Framework and Providers" in 
jce.jar/sunjce_provider.jar/sunpkcs11.jar/sunmscapi.jar/etc.) must be 
signed and properly verify.  This signing requirement also applies to 
3rd Party Provider jar files.

In Oracle's JDK 9+ releases, the Oracle Framework/Providers are now 
implemented as modules (java.base/jdk.crypto.cryptoki/etc.) rather than 
jar files, and are not signed.

3rd Party Providers must still be signed in order to be used in the 
commercial Oracle JDK product.

3rd Party providers do not need to be signed for use with the Oracle 
OpenJDK builds, which is not a commercial product.

It is up to other OpenJDK-based implementations 
(AdoptOpenJDK/Azul/IBM/etc.) to determine whether 3rd Party providers 
must be signed, and make the appropriate modifications to the code.


More information about the security-dev mailing list