JDK-8269039 : Disable SHA-1 Signed JARs
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 18
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-06-18
  • Updated: 2022-12-05
  • Resolved: 2021-09-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 15 JDK 17 JDK 18 Other
11.0.17Fixed 13-poolUnresolved 15.0.9Fixed 17.0.5-oracleFixed 18 b16Fixed openjdk8u362Fixed
Related Reports
CSR :  
JDK-8272155 - Disable SHA-1 Signed JARs
Duplicate :  
JDK-8166764 - jarsigner should detect JARs that are signed after the SHA-1 cutoff date and warn about it
Duplicate :  
JDK-8265086 - jarsigner tool should display descriptive message when multiple constraints are specified
Relates :  
JDK-8266971 - JDK-8196415 cause significant startup regressions on apps that include any SHA-1 signed JAR
Relates :  
JDK-8262762 - Deadlock in java.util.jar.JarFile
Relates :  
JDK-8280890 - Cannot use '-Djava.system.class.loader' with class loader in signed JAR
Relates :  
JDK-8274536 - sun/security/tools/jarsigner/multiRelease/MVJarSigningTest.java fails due to recursive initialisation
Relates :  
JDK-8196415 - Disable SHA-1 Signed JARs
Relates :  
JDK-8275887 - jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
Relates :  
JDK-8298108 - Add a regression test for JDK-8297684
Relates :  
JDK-8297684 - NullPointerException in JarVerifier prevents JVM from starting
Sub Tasks
JDK-8273203 :  
Update docs with new default values for jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms because SHA-1 signed JARs are disabled - Resolved
JDK-8274081 :  
Release Note: Disabled SHA-1 Signed JARs - Closed
Description
Disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. See the CSR for more details.

The original enhancement (JDK-8196415) was backed out due to performance regressions, which should be addressed in this new fix.
Comments
CSR for backports is JDK-8264362
17-11-2022
Fix request [8u] I'd like to backport this enhancement for parity with Oracle and the security roadmap Related tests passed.
17-11-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/154 Date: 2022-11-03 15:34:01 +0000
03-11-2022
Fix request [15u] I'd like to backport this feature for alignment with JDK11, JDK 13 and JDK17 Related tests passed.
22-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk15u-dev/pull/255 Date: 2022-08-18 15:56:59 +0000
18-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk13u-dev/pull/389 Date: 2022-08-16 16:28:33 +0000
17-08-2022
Fix request [13u] I'd like to backport this feature for alignment with JDK11 Related tests passed.
17-08-2022
Fix request [11u] I backport this because it is in the security roadmap for this update. https://www.java.com/en/jre-jdk-cryptoroadmap.html I had to resolve quite some files. Tests pass. SAP nightly testing passes.
26-07-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1244 Date: 2022-07-20 07:44:55 +0000
20-07-2022
Fix request [17u] I backport this for parity with 17.0.5-oracle. We should have the same behaviour here as other VMs. Clean backport. Tests pass. SAP nightly testing passed.
03-07-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/510 Date: 2022-06-27 14:23:04 +0000
27-06-2022
Changeset: 6d91a3eb Author: Sean Mullan <mullan@openjdk.org> Date: 2021-09-21 13:45:47 +0000 URL: https://git.openjdk.java.net/jdk/commit/6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7
21-09-2021