JDK-8168828 : Release Note: jarsigner -verbose -verify should print the algorithms used to sign the jar
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u141,7u131,8u121,9
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2016-10-27
  • Updated: 2022-06-14
  • Resolved: 2016-12-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u141Resolved 7u131Resolved 8u121Resolved 9Resolved
The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property `jdk.jar.disabledAlgorithms`, it will be labeled with "(weak)".

For example:
- Signed by "CN=weak_signer"
    Digest algorithm: MD2 (weak)
    Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
  Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key