Hi Robert!
I copied your update to the report and moved it into JDK project.
You should be able to access it now:
https://bugs.openjdk.java.net/browse/JDK-8049480
Sincerely yours,
Ivan
On 04.07.2014 12:30, Robert Gibson wrote:
Hi,
I'm the reporter of JI-9013191 and I just wanted to follow up with
some more information, since I can't see or comment on the bug in the
OpenJDK JIRA instance. Hope this is the right place.
I'm having problems with JAR files signed and timestamped with JDK9 -
they fail validation under JDK7u60. It looks like this is due to the
fact that JDK9 timestamps by default using SHA-256 - but in the JDK 7u
tree, AlgorithmId.java is missing a backport of changeset JDK-7180907
which means that SignatureFileVerifier#verifyTimestamp fails since it
is looking for an algorithm with the non-standard name SHA256 (without
a hyphen).
By the way, the bug report talks about Web Start, but the minimal
reproducable case is much easier and doesn't involve Web Start:
- create a jar with one file in it
- sign and timestamp with JDK9 using default settings
- verify with JDK7 -> verification failure "jar is unsigned.
(signatures missing or not parsable)"
Running the verification with -J-Djava.security.debug=jar gives
jar: processEntry: processing block
jar: processEntry caught: java.security.NoSuchAlgorithmException:
SHA256 MessageDigest not available
jar: done with meta!
jar: nothing to verify!
Hope that helps,
Robert
