In JDK-8377338, we updated the sun.net.www.protocol.jar.URLJarFile$URLJarFileEntry to remove the overriden implementation of getCertificates() and getCodeSigners() methods. They were removed to prevent the duplicate array cloning that was happening in those method implementations.

Unfortunately, this change introduces a regression where java.net.JarURLConnection.getCertificates() will now incorrectly return null for JAR entries in a signed JAR.

A trivial test which reproduces this is as follows:

// SIGNED_JAR points to a signed JAR on the file system and JAR_ENTRY_NAME is
// the name of an entry in that JAR file

final URI uri = new URI("jar:" + SIGNED_JAR.toUri() + "!/" + JAR_ENTRY_NAME);
System.err.println("running test against signed JAR entry: " + uri);
final URLConnection urlConn = uri.toURL().openConnection();
assertInstanceOf(JarURLConnection.class, urlConn, "unexpected URLConnection type");
final JarURLConnection jarURLConn = (JarURLConnection) urlConn;
try (InputStream is = jarURLConn.getInputStream()) {
    is.readAllBytes();
}
final Certificate[] certs = jarURLConn.getCertificates();
assertNotNull(certs, "null certificates for signed JAR entry: " + uri);