JDK-8196415 : Disable SHA-1 Signed JARs
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2018-01-30
  • Updated: 2025-01-24
  • Resolved: 2021-04-28
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 16 JDK 17 JDK 7 JDK 8
11.0.12-oracleFixed 16.0.2Fixed 17 b21Fixed 7u311Fixed 8u311Fixed
Related Reports
Blocks :  
JDK-8242565 - Policy initialization issues when the denyAfter constraint is enabled
CSR :  
JDK-8264362 - Disable SHA-1 Signed JARs
Relates :  
JDK-8269039 - Disable SHA-1 Signed JARs
Relates :  
JDK-8266022 - Update jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms in the JSSE Reference Guide
Relates :  
JDK-8266971 - JDK-8196415 cause significant startup regressions on apps that include any SHA-1 signed JAR
Relates :  
JDK-8267100 - [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
Sub Tasks
JDK-8259640 :  
Release Note: Disable SHA-1 JARs - Closed
Description
Restrict JARs signed with algorithms using SHA-1 by default. This includes the JAR digest and signature algorithm, the timestamp digest algorithm, and the certificate chains of the code signer and Timestamp Authority. See below for exceptions.

Restricting signed JARs is more complicated than TLS, due to the higher risk of breaking code that has been previously timestamped and may be still in use. The jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms security properties support a denyAfter constraint which can help mitigate this risk by only restricting SHA-1 JARs timestamped after a specific date, ex:

jdk.jar.disabledAlgorithms=SHA1 denyAfter 2020-04-02

The Root CAs included in the JDK that support code signing should all be issuing SHA-2 code signing certificates by default, although some may still allow SHA-1 to be requested, mainly for compatibility with older Windows systems that do not support SHA-2.

The compatibility risk of disabling SHA-1 JARs is much lower in JDK 11 and up, since signed applets and WebStart applications are not supported.

The current proposal is to disable SHA-1 JARs with the following exceptions:

  1. Any JAR signed and timestamped prior to January 01, 2019 is not restricted. This will allow SHA-1 JARs timestamped prior to this date and still in use to continue to work, but we encourage them to be replaced, as this exception will likely be removed in a future update.

  2. Any JAR signed with SHA-1 certificates that were not issued by (or chain back to) one of the Root CAs that are included in the JDK cacerts keystore is not restricted. Thus, if you are using a CA that is not included in the JDK you will not be affected. This is consistent with the TLS SHA-1 certificate restriction. But also like 1, this exception will likely be removed in a future update.
Comments
backed out and fixed via https://bugs.openjdk.org/browse/JDK-8269039
30-10-2024
Changed label to jdk11u-na which is what we usually use to mark bugs as not applicable for OpenJDK backports
26-01-2022
Added jdk11u-fix-no since it got backed out with JDK-8267100. The new attempt for this is JDK-8269039.
03-08-2021
Fix Request an enhancements to improve security options with use of signed jars
04-05-2021
Changeset: 27805775 Author: Sean Mullan <mullan@openjdk.org> Date: 2021-04-28 17:13:21 +0000 URL: https://git.openjdk.java.net/jdk/commit/278057756a1a79a4b030750c48b821ba9735a0f9
28-04-2021