Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cbi-dev] Upcoming changes regarding jar signing in JDK17


In the recent build 21 of JDK 17, jars signed with SHA-1will be considered unsafe (see for details).

Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1. 

See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release):

- Signed by "CN=" Foundation, Inc.", OU=IT, O=" Foundation, Inc.", L=Nepean, ST=Ontario, C=CA"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021
    Timestamp digest algorithm: SHA-1 (weak)
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

I propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice.


Mikaël Barbero 
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Attachment: signature.asc
Description: Message signed with OpenPGP

Back to the top