| [cbi-dev] Upcoming changes regarding jar signing in JDK17 |
| Hi, In the recent build 21 of JDK 17, jars signed with SHA-1will be considered unsafe (see https://bugs.openjdk.java.net/browse/JDK-8196415 for details). Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1. See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release): - Signed by "CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Nepean, ST=Ontario, C=CA" Digest algorithm: SHA-256 Signature algorithm: SHA256withRSA, 2048-bit key Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021 Timestamp digest algorithm: SHA-1 (weak) Timestamp signature algorithm: SHA256withRSA, 2048-bit key I propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice. Thoughts? Mikaël Barbero Manager — Release Engineering and Technology | Eclipse Foundation 🐦 @mikbarbero Eclipse Foundation: The Platform for Open Innovation and Collaboration |
Attachment:
signature.asc
Description: Message signed with OpenPGP