RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]

Wed Jan 13 22:15:26 UTC 2021

On Wed, 13 Jan 2021 20:25:53 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1484:
>> 
>>> 1482:                 // If the cert is trusted, only check its key size, but not its
>>> 1483:                 // signature algorithm. This is because warning should not be
>>> 1484:                 // generated for SHA-1 roots which are not an issue.
>> 
>> SHA-1 is just a glitch in the long history at this very moment, and thus I think it's inappropriate to mention it in the source code. In my opinion, the general reason we don't check the signature is that we trust its origin anyway and we don't verify the signature at all (do we?). On the other hand, since its key is used to sign other certs, we need to make sure the key size is big enough so that no one else is able to recover the key and use it to sign other certs.
>
> Yes, I would remove the 2nd sentence that starts with "This is ...". There are plenty of references on the Internet which explain this, so no need to add much detail.

Removed.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2042