Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Fixed
Priority: P3
Fix Version/s: 18
Affects Version/s: 18
Component/s: security-libs
Labels:

Subcomponent:
java.security
Resolved In Build:
b16

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8282338	17.0.5-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8288965	17.0.5	Goetz Lindenmaier	P3	Resolved	Fixed	b01
JDK-8292705	15.0.9	Alexey Bakhtin	P3	Resolved	Fixed	b03
JDK-8292568	13.0.13	Alexey Bakhtin	P3	Resolved	Fixed	b03
JDK-8292537	13-pool	Alexey Bakhtin	P3	Closed	Withdrawn
JDK-8291676	11.0.17	Goetz Lindenmaier	P3	Resolved	Fixed	b01
JDK-8297517	openjdk8u362	Alexey Bakhtin	P3	Resolved	Fixed	b05
JDK-8358876	shenandoah8u362	Alexey Bakhtin	P3	Resolved	Fixed	b05

Disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. See the CSR for more details.

The original enhancement (~~JDK-8196415~~) was backed out due to performance regressions, which should be addressed in this new fix.

backported by

JDK-8282338 Disable SHA-1 Signed JARs

Resolved

JDK-8288965 Disable SHA-1 Signed JARs

Resolved

JDK-8291676 Disable SHA-1 Signed JARs

Resolved

JDK-8292568 Disable SHA-1 Signed JARs

Resolved

JDK-8292705 Disable SHA-1 Signed JARs

Resolved

JDK-8297517 Disable SHA-1 Signed JARs

Resolved

JDK-8358876 Disable SHA-1 Signed JARs

Resolved

JDK-8292537 Disable SHA-1 Signed JARs

Closed

csr for

JDK-8272155 Disable SHA-1 Signed JARs

Closed

duplicates

JDK-8265086 jarsigner tool should display descriptive message when multiple constraints are specified

Closed

JDK-8166764 jarsigner should detect JARs that are signed after the SHA-1 cutoff date and warn about it

Closed

relates to

JDK-8275887 jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Resolved

JDK-8298108 Add a regression test for JDK-8297684

Resolved

JDK-8274536 sun/security/tools/jarsigner/multiRelease/MVJarSigningTest.java fails due to recursive initialisation

Resolved

JDK-8262762 Deadlock in java.util.jar.JarFile

Closed

JDK-8266971 JDK-8196415 cause significant startup regressions on apps that include any SHA-1 signed JAR

Closed

JDK-8280890 Cannot use '-Djava.system.class.loader' with class loader in signed JAR

Closed

JDK-8297684 NullPointerException in JarVerifier prevents JVM from starting

Closed

JDK-8196415 Disable SHA-1 Signed JARs

Closed

links to

Commit openjdk/jdk8u-dev/c501bfaa

Commit openjdk/jdk11u-dev/5a0824ba

Commit openjdk/jdk13u-dev/79497f63

Commit openjdk/jdk15u-dev/0ec5a527

Commit openjdk/jdk17u-dev/13055166

Commit openjdk/jdk/6d91a3eb

Review openjdk/jdk8u-dev/154

Review openjdk/jdk11u-dev/1244

Review openjdk/jdk13u-dev/389

Review openjdk/jdk15u-dev/255

Review openjdk/jdk17u-dev/510

Review openjdk/jdk/5320

(3 backported by, 1 csr for, 2 duplicates, 8 relates to, 12 links to)

1.	Update docs with new default values for jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms because SHA-1 signed JARs are disabled		Resolved	Raymond Gallardo
2.	Release Note: Disabled SHA-1 Signed JARs		Closed	Sean Mullan

Assignee:: Sean Mullan

Reporter:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2021-06-18 11:49

Updated:: 2025-06-07 15:19

Resolved:: 2024-10-30 13:02

Details

Backports

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates