Is java 9 abandoning the SHA1 certificate or something else?

Java

[update] Oracle has just revised its encryption roadmap( https://www.java.com/en/jre-jdk-cryptoroadmap.html ), they will not abandon SHA-1 for code signature: the target date of 2017-03-14 is changed from 2017-04-18 to 2017-07-18 The scope of use of all SHA-1 is narrowed: only TLS will be affected, * code signature will not be affected at this time *

In any case, this will not affect the correct answer I receive below, because it will apply in the future

Original post:

Trying to run our webstart deployed Java application on JRE 9 EA 153, I got the following pop-up window:

Looking further at the details, I found that the certificate is still valid for some time:

Therefore, I would like to know whether SHA1 is abandoned and why?

This certainly sounds like other's in the industry policy, but the news doesn't sound novice friendly (especially if it's for end users), so I don't know

I found a road map I found this, but I'm not sure if I correctly explained this paragraph:

Disable SHA-1 in the root anchored certificate chain included by default in Oracle JDK; Local or corporate CAS are not affected Signature code with time stamp before January 1, 2017 will not be affected

As the reason for the above failure I appreciate your confirmation

Fwiw, our certificate is issued by ca. I think it is different from "enterprise" ca

thank you.

Solution

If the end user intends to use the signed jar, the SHA1 package signed in 2017 will not work properly

The phasing out of SHA1 was announced a long time ago The only way is to install a local CA or something, but this will not happen on the end user machine (and should not)

To sign a jar for your end user, you need to obtain a new valid SHA-256 certificate from Ca and re sign any jar signed with the old version after December 31, 2016 Anyway, your certificate will expire in a few months

Whether you must double - sign your jar depends on the oldest JVM version you want to locate As far as I know, > = 1.4 2. Support SHA-256 If you want an even older version (considered old when I started programming java 1.5), you need something like double signature More information can be found here and here

"How to double sign a jar" may be a new topic, because it has little to do with the problem I think

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>