The digestAlgorithm is normally determined by the signatureAlgorithm. For example, https://www.rfc-editor.org/rfc/rfc8419.html#section-3 requires SHA-512 for Ed25519 and https://www.rfc-editor.org/rfc/rfc8708.html#name-signed-data-conventions requires the same hash algorithm used in HSS/LMS. However, if a new algorithm is provided by a 3rd-party security provider and JDK itself is not aware of, or an algorithm is very new and no RFC has been published on the determination of the digestAlgorithm field, jarsigner (as well as the JarSigner API) won't be able to sign a JAR file.

It will be nice if there is a new option to provide this algorithm. We also need to determine what shall we do if JDK can already find one. Should the value always be used? Or should it only be used as a fallback when JDK cannot find one? Please note that unmatched digestAlgorithm and signatureAlgorithm might lead to unexpected behaviors.