Hi, I'm the reporter of JI-9013191 and I just wanted to follow up with some more information, since I can't see or comment on the bug in the OpenJDK JIRA instance. Hope this is the right place.
I'm having problems with JAR files signed and timestamped with JDK9 - they fail validation under JDK7u60. It looks like this is due to the fact that JDK9 timestamps by default using SHA-256 - but in the JDK 7u tree, AlgorithmId.java is missing a backport of changeset JDK-7180907 which means that SignatureFileVerifier#verifyTimestamp fails since it is looking for an algorithm with the non-standard name SHA256 (without a hyphen). By the way, the bug report talks about Web Start, but the minimal reproducable case is much easier and doesn't involve Web Start: - create a jar with one file in it - sign and timestamp with JDK9 using default settings - verify with JDK7 -> verification failure "jar is unsigned. (signatures missing or not parsable)" Running the verification with -J-Djava.security.debug=jar gives jar: processEntry: processing block jar: processEntry caught: java.security.NoSuchAlgorithmException: SHA256 MessageDigest not available jar: done with meta! jar: nothing to verify! Hope that helps, Robert
