On Mon, 26 Apr 2021 17:29:26 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change will restrict JARs signed with SHA-1 algorithms and treat them as > if they were unsigned. This applies to the algorithms used to digest, sign, > and optionally timestamp the JAR. It also applies to the signature and digest > algorithms of the certificates in the certificate chain of the code signer > and the Timestamp Authority, and any CRLs or OCSP responses that are used to > verify if those certificates have been revoked. > > In order to reduce the compatibility risk for applications that have been > previously timestamped or use private CAs, there are two exceptions to this > policy: > > - Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, > 2019 will not be restricted. > - Any JAR signed with a SHA-1 certificate that does not chain back to a Root > CA included by default in the JDK `cacerts` keystore will not be restricted. > > These exceptions may be removed in a future JDK release. > > All tests are in the closed repo for now. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8264362 Marked as reviewed by coffeys (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/3700
