RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
sean.mullan at oracle.com
Wed Oct 19 20:13:24 UTC 2016
98 private static final DisabledAlgorithmConstraints SIGN_CHECK =
99 new DisabledAlgorithmConstraints(
This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix
for 8167594 is in 9.
150 "The jar will be treated as unsigned, because it is
signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner
with the -verbose option for more details."},
Should this also have "WARNING:" at the beginning like the other 2
unsigned warning messages?
45 * a new jar entry will be created with the file name itself the
70 * with the file name itself the content.
These 2 lines would be more understandable if you changed "itself the
content" to "itself as the content".
You will need to update this test based on the new MD5 restrictions
added in 8167594.
On 10/19/2016 03:36 AM, Wang Weijun wrote:
> Please review the code change at
> With this change, "jarsigner -verify -verbose" will print out how a jar was signed.
> For example, a jar which was signed and timestamped with many weak algorithms will show
> - Signed by "CN=old"
> Digest algorithm: MD2 (weak)
> Signature algorithm: MD2withRSA (weak), 2048-bit key
> Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016
> Timestamp digest algorithm: MD2 (weak)
> Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak)
> WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
> jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024
More information about the security-dev