On Wed, 13 Jan 2021 20:25:53 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line >> 1484: >> >>> 1482: // If the cert is trusted, only check its key size, >>> but not its >>> 1483: // signature algorithm. This is because warning >>> should not be >>> 1484: // generated for SHA-1 roots which are not an issue. >> >> SHA-1 is just a glitch in the long history at this very moment, and thus I >> think it's inappropriate to mention it in the source code. In my opinion, >> the general reason we don't check the signature is that we trust its origin >> anyway and we don't verify the signature at all (do we?). On the other hand, >> since its key is used to sign other certs, we need to make sure the key size >> is big enough so that no one else is able to recover the key and use it to >> sign other certs. > > Yes, I would remove the 2nd sentence that starts with "This is ...". There > are plenty of references on the Internet which explain this, so no need to > add much detail. Removed. ------------- PR: https://git.openjdk.java.net/jdk/pull/2042