RFR: 8365559: jarsigner shows files non-existent if signed with a weak algorithm

Artur Barashev abarashev at openjdk.org
Thu Aug 14 17:23:11 UTC 2025


On Thu, 14 Aug 2025 15:17:09 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> See the bug report for details. Basically, entries in the SF set should always be removed no matter if it's treated signed or not.

test/jdk/sun/security/tools/jarsigner/RemovedFiles.java line 107:

> 105:                 Files.writeString(Path.of("c"), "c"));
> 106:         SecurityTools.keytool("-genkeypair -storepass changeit -keystore ks -alias w -dname CN=w -keyalg ec");
> 107:         SecurityTools.jarsigner("-storepass changeit -keystore ks c.jar w -sigalg SHA1withECDSA")

Nit: A comment explaining that `SHA1` is disabled in `jdk.jar.disabledAlgorithms` security property would be helpful.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26781#discussion_r2277255959


More information about the security-dev mailing list