Thanks Brad and Bernd! David
> On Feb 4, 2019, at 4:08 PM, Bradford Wetmore <[email protected]> > wrote: > > Hi David, > >> On 2/4/2019 2:08 AM, David Penick wrote: >> I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve >> noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar files do >> not appear to be signed. I’m surprised they work without being signed, but I >> also haven’t been able to find anyone asking how to get signed versions of >> the Sun JCE. >> How can I get signed versions of the Sun JCE jars, or should I not worry >> about it, and if so, why not? > > In Oracle's JDK 8 and earlier releases, the same rules still apply in that > the Oracle Framework and Providers (previously called the "Sun Framework and > Providers" in jce.jar/sunjce_provider.jar/sunpkcs11.jar/sunmscapi.jar/etc.) > must be signed and properly verify. This signing requirement also applies to > 3rd Party Provider jar files. > > In Oracle's JDK 9+ releases, the Oracle Framework/Providers are now > implemented as modules (java.base/jdk.crypto.cryptoki/etc.) rather than jar > files, and are not signed. > > 3rd Party Providers must still be signed in order to be used in the > commercial Oracle JDK product. > > 3rd Party providers do not need to be signed for use with the Oracle OpenJDK > builds, which is not a commercial product. > > It is up to other OpenJDK-based implementations (AdoptOpenJDK/Azul/IBM/etc.) > to determine whether 3rd Party providers must be signed, and make the > appropriate modifications to the code. > > Brad > > >
