JDK-8371079 : Add support for JARs signed with ML-DSA
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 26
  • Submitted: 2025-10-31
  • Updated: 2025-11-16
  • Resolved: 2025-11-05
Related Reports
CSR :  
JDK-8349732 - Add support for JARs signed with ML-DSA
Description
Summary
-------
Add support for creating and verifying JARs signed with the ML-DSA algorithm and the PKCS #7 format as specified in [RFC 9882](https://datatracker.ietf.org/doc/html/rfc9882).

Problem
-------
ML-DSA is a post-quantum digital signature algorithm defined in FIPS 204. It can be used for general-purpose signing, including JAR file signatures. RFC 9882 specifies additional requirements for using ML-DSA within the Cryptographic Message Syntax (CMS), which is the PKCS #7 format of the signature block files inside signed JARs.

Solution
--------
Add support for ML-DSA in JAR signing and verification. When the signing key is an ML-DSA key, `jarsigner` will automatically use the ML-DSA signature algorithm with the same parameter set, so the `-sigalg` option is not required. If user specifies a `-sigalg` option but does not match the key algorithm, `jarsigner` will report an error and fail.

Specification
-------------
In the table in [Supported Algorithms](https://docs.oracle.com/en/java/javase/24/docs/specs/man/jarsigner.html#supported-algorithms), add a new row for ML-DSA and add a note

> Modern digital signature algorithms such as EdDSA and ML-DSA use the same name for both the key and signature algorithms. Only the signature algorithm with the same name can be used with a given key algorithm. The specific
signature parameter set (for example, Ed25519 or Ed448 for EdDSA) is the
same as that of the key.

I also take this chance to number the notes to match cells in the table.

The rendered HTML page is attached.
Comments
[~weijun] Can you confirm that this doesn't require any changes to the Signed JAR File section in the JAR file spec, specifically the list of sig files.
05-11-2025
Moving to Approved.
05-11-2025
[~weijun] Thanks for confirming (I wasn't aware of the subtle change to the description of .DSA to make it open ended).
05-11-2025
[~alanb] Good question. This used to be an issue, and we had to introduce a new block file extension for every new signature algorithm. When we added support for HSS/LMS in JDK-8302233, we decided to stop creating new extensions and instead always reuse ".DSA". The extension itself does not matter because the algorithm is encoded inside the file. The "Digital Signature" section of the JAR file spec now states: - .DSA (PKCS7 signature, for DSA or any other key algorithm)
05-11-2025