On Wed, 13 Jan 2021 15:13:52 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line > 1484: > >> 1482: // If the cert is trusted, only check its key size, >> but not its >> 1483: // signature algorithm. This is because warning should >> not be >> 1484: // generated for SHA-1 roots which are not an issue. > > SHA-1 is just a glitch in the long history at this very moment, and thus I > think it's inappropriate to mention it in the source code. In my opinion, the > general reason we don't check the signature is that we trust its origin > anyway and we don't verify the signature at all (do we?). On the other hand, > since its key is used to sign other certs, we need to make sure the key size > is big enough so that no one else is able to recover the key and use it to > sign other certs. Yes, I would remove the 2nd sentence that starts with "This is ...". There are plenty of references on the Internet which explain this, so no need to add much detail. ------------- PR: https://git.openjdk.java.net/jdk/pull/2042
