RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar

Wang Weijun weijun.wang at oracle.com
Wed Oct 19 07:36:42 UTC 2016


Please review the code change at

   http://cr.openjdk.java.net/~weijun/8163304/webrev.01/

With this change, "jarsigner -verify -verbose" will print out how a jar was signed.

For example, a jar which was signed and timestamped with many weak algorithms will show

- Signed by "CN=old"
    Digest algorithm: MD2 (weak)
    Signature algorithm: MD2withRSA (weak), 2048-bit key
  Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016
    Timestamp digest algorithm: MD2 (weak)
    Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak)

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024

Thanks
Max



More information about the security-dev mailing list