Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar s

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17

From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
Date: Tue, 11 May 2021 10:46:32 +0300
Delivered-to: eclipse.org-planning-council@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-planning-council/>
List-help: <mailto:eclipse.org-planning-council-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council>, <mailto:eclipse.org-planning-council-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-planning-council>, <mailto:eclipse.org-planning-council-request@eclipse.org?subject=unsubscribe>

On Tue, May 11, 2021 at 10:36 AM Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Forwarding to planning council.

Mikaël Barbero
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Begin forwarded message:

From: Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Upcoming changes regarding jar signing in JDK17
Date: 10 May 2021 at 21:02:05 CEST
To: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>

Hi,

In the recent build 21 of JDK 17, jars signed with SHA-1will be considered unsafe (see https://bugs.openjdk.java.net/browse/JDK-8196415 for details).

Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1.

See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release):

- Signed by "CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Nepean, ST=Ontario, C=CA"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021
Timestamp digest algorithm: SHA-1 (weak)
Timestamp signature algorithm: SHA256withRSA, 2048-bit key

I propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice.

Thoughts?

If Java 17 will consider it unsigned I would say do the change without even providing the option to switch back as providing such signatures doesn't make sense anymore.

Mikaël Barbero
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

_______________________________________________
eclipse.org-planning-council mailing list
eclipse.org-planning-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council

Aleksandar Kurtakov

Red Hat Eclipse Team

References:
- [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
  - From: Mikael Barbero

Prev by Date: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
Next by Date: Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
Previous by thread: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
Next by thread: Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
Index(es):
- Date
- Thread

Breadcrumbs