JDK-8245151 : jarsigner should not raise duplicate warnings on verification
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 15
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2020-05-18
  • Updated: 2020-10-12
  • Resolved: 2020-05-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 15 JDK 7 JDK 8
11.0.9-oracleFixed 15 b24Fixed 7u281Fixed 8u270Fixed
Related Reports
Relates :  
Description
1. Signed a jar with options "-digestalg SHA-1" and "-tsadigestalg SHA-1", the output contained the blow lines,
...
jar signed.

Warning: 
The SHA-1 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA-1 algorithm specified for the -tsadigestalg option is considered a security risk. This algorithm will be disabled in a future update.
...

2. Verified the signed jar, two duplicate warnings were raised about SHA-1, like the below,
...
jar verified.

Warning: 
The SHA-1 digest algorithm is considered a security risk. This algorithm will be disabled in a future update.
The SHA-1 digest algorithm is considered a security risk. This algorithm will be disabled in a future update.
...
Comments
Fix request (11u) -- will label after testing completed. I would like to downport this for parity with 11.0.9-oracle. Applies clean.
19-07-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/0b2e88024e7a User: weijun Date: 2020-05-19 03:56:15 +0000
19-05-2020