|Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17|
Forwarding to planning council.Begin forwarded message:From: Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>Subject: Upcoming changes regarding jar signing in JDK17Date: 10 May 2021 at 21:02:05 CESTTo: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>Hi,In the recent build 21 of JDK 17, jars signed with SHA-1will be considered unsafe (see https://bugs.openjdk.java.net/browse/JDK-8196415 for details).Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1.See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release):- Signed by "CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Nepean, ST=Ontario, C=CA"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021
Timestamp digest algorithm: SHA-1 (weak)
Timestamp signature algorithm: SHA256withRSA, 2048-bit keyI propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice.Thoughts?
eclipse.org-planning-council mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council
Back to the top