8196415: Disable SHA-1 Signed JARs

[seanjmullan]

This change will restrict JARs signed with SHA-1 algorithms and treat them as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

• Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
• Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

All tests are in the closed repo for now.

CSR: https://bugs.openjdk.java.net/browse/JDK-8264362

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Integration blocker

 ⚠️ The change requires a CSR request to be approved.

Issue

• JDK-8196415: Disable SHA-1 Signed JARs

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3694/head:pull/3694
$ git checkout pull/3694

Update a local copy of the PR:
$ git checkout pull/3694
$ git pull https://git.openjdk.java.net/jdk pull/3694/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3694

View PR using the GUI difftool:
$ git pr show -t 3694

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3694.diff

[seanjmullan]

/csr

[seanjmullan]

/help

[seanjmullan]

/label add security

[seanjmullan]

/label security

[seanjmullan]

/label add rfr

[bridgekeeper]

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@seanjmullan this pull request will not be integrated until the CSR request JDK-8264362 for issue JDK-8196415 has been approved.

[openjdk]

@seanjmullan Available commands:

• cc - add or remove an additional classification label
• clean - Mark the backport pull request as a clean backport
• contributor - adds or removes additional contributors for a PR
• covered - used when employer has signed the OCA
• csr - require a compatibility and specification request (CSR) for this pull request
• help - shows this text
• integrate - performs integration of the changes in the PR
• issue - edit the list of issues that this PR solves
• label - add or remove an additional classification label
• open - Set the pull request state to "open"
• reviewer - manage additional reviewers for a PR
• reviewers - set the number of additional required reviewers for this PR
• signed - used after signing the OCA
• solves - edit the list of issues that this PR solves
• sponsor - performs integration of a PR that is authored by a non-committer
• summary - updates the summary in the commit message
• test - used to run tests

[openjdk]

@seanjmullan
The security label was successfully added.

[openjdk]

@seanjmullan The security label was already applied.

[openjdk]

@seanjmullan The label rfr is not a valid label. These labels are valid:

• serviceability
• hotspot
• sound
• hotspot-compiler
• kulla
• i18n
• shenandoah
• jdk
• javadoc
• 2d
• security
• swing
• hotspot-runtime
• jmx
• build
• nio
• beans
• core-libs
• compiler
• net
• hotspot-gc
• hotspot-jfr
• awt