Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8159393

jlink should print a warning that a signed modular JAR will be treated as unsigned

XMLWordPrintable

    • b144
    • Verified

      If a signed modular jar is linked into a runtime image with jlink, the signing information (certificates, etc) is not retained, and the module cannot be used for additional policy (using the signedBy clause) or other types of authentication checks (ex: using the signer information in the module's CodeSource) at runtime. It is effectively treated as unsigned code.

      In order to eliminate any potential confusion, jlink should warn a user that the linked module will be treated as unsigned at runtime.

      Alternatives such as running the module from the modulepath or classpath (which would retain the signing information) may also be suggested (but would be a separate issue).

            jlaskey Jim Laskey
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: