[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
|
Forwarding to planning council.
Mikaël Barbero
Manager — Release Engineering and Technology | Eclipse Foundation 🐦 @mikbarbero
Begin forwarded message:
Subject: Upcoming changes regarding jar signing in JDK17
Date: 10 May 2021 at 21:02:05 CEST
Hi,
Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1.
See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release):
- Signed by "CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Nepean, ST=Ontario, C=CA" Digest algorithm: SHA-256 Signature algorithm: SHA256withRSA, 2048-bit key Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021 Timestamp digest algorithm: SHA-1 (weak) Timestamp signature algorithm: SHA256withRSA, 2048-bit key
I propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice.
Thoughts?
Mikaël Barbero
Manager — Release Engineering and Technology | Eclipse Foundation 🐦 @mikbarbero
|
Attachment:
signature.asc
Description: Message signed with OpenPGP