RFR: 8303410: Remove ContentSigner

Weijun Wang weijun at openjdk.org
Wed Mar 1 17:01:21 UTC 2023

On Tue, 28 Feb 2023 19:09:00 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:

> The `-altsigner` and `-altsignerpath` options in JarSigner with the underlying `ContentSigner` mechanism were deprected in Java 9, for removal in Java 15. See [JDK-8076535](https://bugs.openjdk.org/browse/JDK-8076535), [JDK-8242260](https://bugs.openjdk.org/browse/JDK-8242260).
> This PR suggests it's time to remove this code:
> - The package `com/sun/jarsigner` is removed. This contained the `ContentSigner` and `ContentSignerParameters` along with a `package-info.java` file.
> - `JarSigner.java` is updated to remove processing of the `-altsigner` and `-altsignerpath` options and the loading and processing of the custom `ContentSigner`.
> - Similarly `c.s.s.t.jarsigner.Main` is updated to remove processing and mentioning of `-altsigner` and `-altsignerpath` options.
> - Mentions of the options in Resource files in the same directory is removed
> - The `jarsigner.1` man page is updated to remove the section on the deprecated options
> - The `Spec` and `Options` tests are update to remove usage of the `-altsigner` and `-altsignerpath` options.

I've filed the CSR at https://bugs.openjdk.org/browse/JDK-8303469 and added myself as a reviewer. I did add a comment saying this is contributed by Eirik so the CSR guys won't be surprised why I reviewed my own CSR. I've also added a link to RFC 8933 to explain why `ContentSigner` is not only useless but also not secure.


PR: https://git.openjdk.org/jdk/pull/12791

More information about the security-dev mailing list