[JDK-8166222] Don't treat signed jars with invalid timestamps as unsigned - Java Bug System

XML

Word

Printable

Details

Type: Enhancement
Status: Closed
Priority: P3
Resolution: Not an Issue
Affects Version/s: None
Fix Version/s: None
Component/s: security-libs
Labels:
- seclibs-18.3
- security-disabled-algs-rfe

Subcomponent:
java.security

Description

We should consider changing the behavior for signed JARs that are timestamped and which the jar signature is valid but the timestamp is not parseable or uses an unsupported or weak algorithm. Currently, it appears that these JARs are treated as completely unsigned. However, it really should be treated as signed but without a timestamp.

Attachments

Issue Links

relates to

JDK-8180289 jarsigner treats timestamped signed jar invalid after the signer cert expires

Closed

Activity

People

Assignee:: Weijun Wang

Reporter:: Sean Mullan

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2016-09-16 15:01

Updated:: 2017-10-19 00:21

Resolved:: 2017-10-19 00:18