RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar

Wang Weijun weijun.wang at oracle.com
Wed Oct 19 23:58:33 UTC 2016


> Am Wed, 19 Oct 2016 16:13:24 -0400
> schrieb Sean Mullan <
> sean.mullan at oracle.com
> >:
> 
> >
>  150                 "The jar will be treated as unsigned, because it
> 
> >
>  is signed with a weak algorithm that is now disabled.\n\nRe-run
> 
> >
>  jarsigner with the -verbose option for more details."},
> 
> 
> I also wondered: what if there are multiple signatures. So a "because
> it is signed only with weak algorithms" might be better?

This is more precise.

But probably not more helpful. This warning only shows when all algorithms are weak and saying one algorithm is weak is not misleading.

IMO, people will only get confused when one signature is weak and the other is not. In this case, the history prints out 2 signatures but "jarsigner -verify -verbose -certs" only shows one for the entries. I hope the weak label there could be meaningful.

Thanks
Max

> 
> Gruss
> Bernd


More information about the security-dev mailing list