Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8196415: Disable SHA-1 Signed JARs #3694

Closed
wants to merge 3 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Apr 26, 2021

This change will restrict JARs signed with SHA-1 algorithms and treat them as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

All tests are in the closed repo for now.

CSR: https://bugs.openjdk.java.net/browse/JDK-8264362


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Integration blocker

 ⚠️ The change requires a CSR request to be approved.

Issue

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3694/head:pull/3694
$ git checkout pull/3694

Update a local copy of the PR:
$ git checkout pull/3694
$ git pull https://git.openjdk.java.net/jdk pull/3694/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3694

View PR using the GUI difftool:
$ git pr show -t 3694

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3694.diff

@seanjmullan
Copy link
Member Author

/csr

@seanjmullan
Copy link
Member Author

/help

@seanjmullan
Copy link
Member Author

/label add security

@seanjmullan
Copy link
Member Author

/label security

@seanjmullan
Copy link
Member Author

/label add rfr

@seanjmullan seanjmullan deleted the JDK-8196415 branch April 26, 2021 17:22
@seanjmullan seanjmullan restored the JDK-8196415 branch April 26, 2021 17:22
@bridgekeeper
Copy link

bridgekeeper bot commented Apr 26, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the csr Pull request needs approved CSR before integration label Apr 26, 2021
@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan this pull request will not be integrated until the CSR request JDK-8264362 for issue JDK-8196415 has been approved.

@openjdk openjdk bot added the rfr Pull request is ready for review label Apr 26, 2021
@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan Available commands:

  • cc - add or remove an additional classification label
  • clean - Mark the backport pull request as a clean backport
  • contributor - adds or removes additional contributors for a PR
  • covered - used when employer has signed the OCA
  • csr - require a compatibility and specification request (CSR) for this pull request
  • help - shows this text
  • integrate - performs integration of the changes in the PR
  • issue - edit the list of issues that this PR solves
  • label - add or remove an additional classification label
  • open - Set the pull request state to "open"
  • reviewer - manage additional reviewers for a PR
  • reviewers - set the number of additional required reviewers for this PR
  • signed - used after signing the OCA
  • solves - edit the list of issues that this PR solves
  • sponsor - performs integration of a PR that is authored by a non-committer
  • summary - updates the summary in the commit message
  • test - used to run tests

@openjdk openjdk bot added the security security-dev@openjdk.org label Apr 26, 2021
@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan
The security label was successfully added.

@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan The security label was already applied.

@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan The label rfr is not a valid label. These labels are valid:

  • serviceability
  • hotspot
  • sound
  • hotspot-compiler
  • kulla
  • i18n
  • shenandoah
  • jdk
  • javadoc
  • 2d
  • security
  • swing
  • hotspot-runtime
  • jmx
  • build
  • nio
  • beans
  • core-libs
  • compiler
  • net
  • hotspot-gc
  • hotspot-jfr
  • awt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
csr Pull request needs approved CSR before integration rfr Pull request is ready for review security security-dev@openjdk.org
1 participant