Currently, the jarsigner tool does not warn you if algorithms used in signature/digest parameters are using legacy or disabled algorithms. For example, the parameters for the RSASSA-PSS signature algorithm contain two fields (hashAlgorithm and maskGenAlgorithm) that should be checked against the algorithm constraint properties.

These algorithms however, are properly restricted at runtime, and if disabled, the JAR is treated as unsigned.