RFR: 8365559: jarsigner shows files non-existent if signed with a weak algorithm

Weijun Wang weijun at openjdk.org
Thu Aug 14 16:30:15 UTC 2025


On Thu, 14 Aug 2025 16:09:33 GMT, Mark Powers <mpowers at openjdk.org> wrote:

>> See the bug report for details. Basically, entries in the SF set should always be removed no matter if it's treated signed or not.
>
> test/jdk/sun/security/tools/jarsigner/RemovedFiles.java line 44:
> 
>> 42:             = "This jar contains signed entries for files that do not exist. See the -verbose output for more details.";
>> 43:     private static final String WEAK_UNSIGNED
>> 44:             = "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled";
> 
> Need period at end of sentence.

Unfortunately not. Depending on whether `-verbose` is on, the command might show
> The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.

or
> WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26781#discussion_r2277112011


More information about the security-dev mailing list