On 11/20/16 2:57 PM, Bernd Eckenfels wrote:
Hello,
how will the JCE Provider signing in Java 9 work? Are the jmod files
signed (I dont see a signature in them in the Windows EA builds)?
Third party JCE providers still need to be signed as a JAR file.
On the BouncyCastle Crypto mailing list there has been a discussion
that currently JCE code signing (of Jars) is done with a SHA1 chained
1024 bit DSA signature.
https://www.bouncycastle.org/devmailarchive/msg14905.html
Will that change to actually allow SHA-1 to be
turned off? Does the JAR-path checking security attribute also apply to
any (possible) JMOD signatures?
Oracle's planned changes do not include as far as I can see any changes
here. I dont mind much that JCE policy is enforced by an older
algorithm, but it makes it impossible to globally turn off SHA1 and DSA
(1024).
This information below is specific to Oracle's JDK, so it is best
discussed in a different forum. In short though, here is some
information you may find useful:
We have recently upgraded Oracle's JCE CA to use stronger algorithms
(SHA-256 and 2048-bit keys). It was released in JDK 8u111, 7u121, 6u131.
More information is here (see "New JCE Code Signing Root CA":
http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
You can now request a new JCE code signing certificate that uses
stronger algorithms. However, this certificate will only work on
releases on or after the above releases. Thus, we recommend that if you
do need to support older releases, you keep the signature on the
existing JAR and re-sign it with the new certificate/key -- which means
the resulting signed JAR will have 2 signatures.
--Sean
