The OpenJDK JCA does not do provider signature checking. So you can install your own providers and don’t need to sign them.
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <[email protected]> im Auftrag von David Penick <[email protected]> Gesendet: Montag, Februar 4, 2019 11:18 AM An: [email protected] Betreff: Signed JCE and providers jars I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar files do not appear to be signed. I’m surprised they work without being signed, but I also haven’t been able to find anyone asking how to get signed versions of the Sun JCE. How can I get signed versions of the Sun JCE jars, or should I not worry about it, and if so, why not? Thanks, David
