-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b144
-
Verified
If a signed modular jar is linked into a runtime image with jlink, the signing information (certificates, etc) is not retained, and the module cannot be used for additional policy (using the signedBy clause) or other types of authentication checks (ex: using the signer information in the module's CodeSource) at runtime. It is effectively treated as unsigned code.
In order to eliminate any potential confusion, jlink should warn a user that the linked module will be treated as unsigned at runtime.
Alternatives such as running the module from the modulepath or classpath (which would retain the signing information) may also be suggested (but would be a separate issue).
In order to eliminate any potential confusion, jlink should warn a user that the linked module will be treated as unsigned at runtime.
Alternatives such as running the module from the modulepath or classpath (which would retain the signing information) may also be suggested (but would be a separate issue).
- relates to
-
JDK-8160552 Store code signer information in jimage
-
- Closed
-
-
JDK-8169505 Update changes by JDK-8159393 to reflect CCC review
-
- Closed
-