JDK-8163304 : jarsigner -verbose -verify should print the algorithms used to sign the jar
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2016-08-05
  • Updated: 2017-11-29
  • Resolved: 2016-10-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9 Other
6u141Fixed 7u131Fixed 8u121Fixed 9 b142Fixed openjdk7uFixed
Related Reports
Relates :  
JDK-8167591 - Add MD5 to signed JAR restrictions
Relates :  
JDK-8171319 - keytool should print out warnings when reading or generating cert/cert req using weak algorithms
Relates :  
JDK-8164425 - sun/security/tools/jarsigner/ts.sh timed out intermittently
Sub Tasks
JDK-8168828 :  
Release Note: jarsigner -verbose -verify should print the algorithms used to sign the jar - Closed
Description
It would be useful to emit the digest and signature algorithms that were used to sign the jar file.
Comments
UR SQE OK to take the fix to CPU17_01 as far as it should be aligned with JDK-8167591 already integrated in the release.
07-11-2016
SigningHistory.java updated to print a usage line when args.length != 1.
29-09-2016
A standalone tool SigningHistory.java is attached to look at signature information inside a jar. Run with jdk6u+. For jdk9, please add "--add-exports java.base/sun.security.pkcs=ALL-UNNAMED --add-exports java.base/sun.security.timestamp=ALL-UNNAMED --add-exports java.base/sun.security.util=ALL-UNNAMED --add-exports java.base/sun.security.x509=ALL-UNNAMED" to the command line because internal APIs are used. This tool can also added to jdk9/dev and called when "jarsigner -history <jarfile>" is called. Jarsigner will only print out the signing history without doing anything else.
29-09-2016
Can SigningHistory be a JAR so users don't have to compile it?
29-09-2016
Both -digestalg and -sigalg info? Since a jar file can be signed multiple times and the content can change between the signings, the above info can be different for different files. The current jarsigner -verbose output only lists files each on one line. It might be better to add the new info into jarsigner -verbose -certs. I can think of something like this: sm 8 Mon Aug 08 22:04:22 CST 2016 A (and 3 more) + entry is signed with digest algorithm SHA-1 and signature algorithm SHA1withRSA X.509, CN=Me [certificate expired on 6/1/15, 9:48 AM] [CertPath not validated: Path does not chain with any of the trust anchors] - [entry was signed on 8/8/16, 10:05 PM] + [entry was signed on 8/8/16, 10:05 PM with digest algorithm SHA-256 and signature algorithm SHA256withRSA] X.509, CN=old [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM] X.509, CN=CA [certificate is valid from 8/8/16, 10:04 PM to 2/24/17, 10:04 PM] [CertPath not validated: Path does not chain with any of the trust anchors] Here, no timestamp for CN=Me (a self-signed cert), has timestamp for CN=old (which is signed by CN=CA). New digestalg and sigalg info are added/merged. Are we also interested in digestalg and sigalg for the timestamp?
08-08-2016