Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-planning-council] Upcoming changes regarding jar signing in JDK17

I agree that this should be enabled ASAP. 

What about giving it a try for M3? If some incompatibilities are discovered, we can revert for RC1.

Cheers,

Mikaël Barbero 
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

On 11 May 2021, at 15:04, Thomas Watson <tjwatson@xxxxxxxxxx> wrote:

Furthermore, with https://bugs.eclipse.org/bugs/show_bug.cgi?id=572034 the Equinox SignedContent implementation no longer has its own implementation for parsing signed JARs.  It now will use the Java JAR API to do that.  This allows us to keep up with the support of signed JARs in Java as they add new algorithms, but it also means we no longer will support algorithms that the new Java versions drop.  In the end this is the correct thing to do because these old algorithms have been determined to be insecure today.  With the 2021-06 release, running on Java 17 any such JARs using this kind of TSA will be reported as not having a valid trusted TSA certificate when installed into the Eclipse platform.

Tom
 
 
 
----- Original message -----
From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
Sent by: "eclipse.org-planning-council" <eclipse.org-planning-council-bounces@xxxxxxxxxxx>
To: Eclipse Planning Council private list <eclipse.org-planning-council@xxxxxxxxxxx>
Cc:
Subject: [EXTERNAL] Re: [eclipse.org-planning-council] Fwd: Upcoming changes regarding jar signing in JDK17
Date: Tue, May 11, 2021 2:47 AM
 
 
 
On Tue, May 11, 2021 at 10:36 AM Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Forwarding to planning council.

Mikaël Barbero 
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration
 
Begin forwarded message:
 
Subject: Upcoming changes regarding jar signing in JDK17
Date: 10 May 2021 at 21:02:05 CEST
To: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>
 
Hi,
 
In the recent build 21 of JDK 17, jars signed with SHA-1will be considered unsafe (see https://bugs.openjdk.java.net/browse/JDK-8196415 for details).
 
Today, all jars signed with the Eclipse Foundation's jar signing service are mostly free of SHA1 digests, except for the timestamp digests which still use the default --tsadigestalg from JDK8, ie SHA1. 
 
See below the output of jarsigner -verify -verbose for org.eclipse.jdt.core_3.25.0.v20210223-0522.jar (latest 2021-03 release):
 
- Signed by "CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Nepean, ST=Ontario, C=CA"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Tue Feb 23 12:20:10 UTC 2021
    Timestamp digest algorithm: SHA-1 (weak)
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key
 
I propose to change the default Timestamp digest algorithm of the Foundation's jar signing service to SHA256 as soon as possible. If there is a strong requirement, it is possible to add an option to the signing service (and the cbi maven plugin) to allow projects specifying a digest algorithm of their choice.
 
Thoughts? 
 
If Java 17 will consider it unsigned I would say do the change without even providing the option to switch back as providing such signatures doesn't make sense anymore.
 

Mikaël Barbero 
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration
_______________________________________________
eclipse.org-planning-council mailing list
eclipse.org-planning-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council


--
Aleksandar Kurtakov
Red Hat Eclipse Team
_______________________________________________
eclipse.org-planning-council mailing list
eclipse.org-planning-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council
 

_______________________________________________
eclipse.org-planning-council mailing list
eclipse.org-planning-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council

Attachment: signature.asc
Description: Message signed with OpenPGP


Back to the top