Review request: JDK-8169443 Deprecate Java Packager Blob Signing
snfuchs at gmx.de
Tue Dec 13 19:02:45 UTC 2016
well I think reason number 1 is not correct. The definition of self
signed depends on who created the signing key. If you created it
yourself, it is a self signed jar and will rightfully be blocked.
If you however obtained the signing key from a Certification Authority,
that java accepts, it is not a self signed jar and will not be blocked.
This is a perfectly valid usecase for fxsign jar.
For the 2nd reason: I don't think many users will go modular for
Webstart Applications. Normally you simply pack all your classes in a
single big jar-file (and perhaps a second, if you use a preloader).
This avoids various network round trips, when the application starts and
makes deployment much easier.
> Hi Stefan,
> Yes, it is being deprecated. It will continue to function as it has. Two main reasons for the deprecation are:
> 1. Self signed jars are blocked and sign as blob is a self signed jars.
> 2. There will be a replacement for modules that will be better.
>> On Dec 12, 2016, at 11:56 PM, Stefan Fuchs <snfuchs at gmx.de> wrote:
>> so blog signing as deprecated.
>> What are the reasons for deprecating blog signing? Are there alternatives?
>> How do I sign a webstart application?
>>> Please review these changes to deprecate the blob signing from the Java Packager.
>>> JIRA: https://bugs.openjdk.java.net/browse/JDK-8169443 <https://bugs.openjdk.java.net/browse/JDK-8169443>
>>> Webrev: http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/ <http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/>
More information about the openjfx-dev