Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8196415: Disable SHA-1 Signed JARs #3700

Closed
wants to merge 3 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Apr 26, 2021

This change will restrict JARs signed with SHA-1 algorithms and treat them as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

All tests are in the closed repo for now.

CSR: https://bugs.openjdk.java.net/browse/JDK-8264362


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3700/head:pull/3700
$ git checkout pull/3700

Update a local copy of the PR:
$ git checkout pull/3700
$ git pull https://git.openjdk.java.net/jdk pull/3700/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3700

View PR using the GUI difftool:
$ git pr show -t 3700

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3700.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Apr 26, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Apr 26, 2021
@openjdk
Copy link

openjdk bot commented Apr 26, 2021

@seanjmullan The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Apr 26, 2021
@mlbridge
Copy link

mlbridge bot commented Apr 26, 2021

Webrevs

@openjdk
Copy link

openjdk bot commented Apr 27, 2021

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8196415: Disable SHA-1 Signed JARs

Reviewed-by: coffeys

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 103 new commits pushed to the master branch:

  • fbfd4ea: 8265914: Duplicated NotANode and not_a_node
  • 9481fad: 8163367: Test javax/swing/JComboBox/8033069/bug8033069NoScrollBar.java javax/swing/JComboBox/8033069/bug8033069ScrollBar.java fails intermittently
  • 9adbf15: 8265995: Shenandoah: Move ShenandoahInitMarkRootsClosure close to its use
  • 879a77f: 8265757: stack-use-after-scope in perfMemory_posix.cpp get_user_name_slow()
  • e4be968: 8265980: Fix systemDictionary and loaderConstraints printing
  • f6e26f6: 8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
  • 0a4c338: 8263432: javac may report an invalid package/class clash on case insensitive filesystems
  • 82b3719: 8265967: Unused NullCheckNode forward declaration in node.hpp
  • 468c847: 8234020: Remove FullGCCount_lock
  • 4785e11: 8264806: Remove the experimental JIT compiler
  • ... and 93 more: https://git.openjdk.java.net/jdk/compare/da860290c2657c0fb1de8c77c8dffdb35f1cf938...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Apr 27, 2021
@seanjmullan
Copy link
Member Author

/integrate

@openjdk openjdk bot closed this Apr 28, 2021
@openjdk openjdk bot added integrated Pull request has been integrated and removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Apr 28, 2021
@openjdk
Copy link

openjdk bot commented Apr 28, 2021

@seanjmullan Since your change was applied there have been 143 commits pushed to the master branch:

  • 21f65f8: 8266206: Build failure after JDK-8264752 with older GCCs
  • c71c268: 8266165: TestNoWarningLoopStripMiningIterSet is runnable only on VM w/ G1, Shenandoah, Z and Epsilon
  • 8954bef: 8266188: mark hotspot compiler/cpuflags tests which ignore VM flags
  • 19d3c45: 8266184: a few compiler/debug tests don't check exit code
  • 7e3bc4c: 8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine"
  • f40bf1d: 8266087: Move 'buffer' declaration in get_user_name_slow() inside of linux specific code
  • ec383ab: 8183374: Refactor java/lang/Runtime shell tests to java
  • 343a4a7: 8185127: Add tests to cover hashCode() method for java supported crypto key types
  • e325a75: 8264593: debug.cpp utilities should be available in product builds.
  • e879f8c: 8265587: IGV: track nodes across matching
  • ... and 133 more: https://git.openjdk.java.net/jdk/compare/da860290c2657c0fb1de8c77c8dffdb35f1cf938...master

Your commit was automatically rebased without conflicts.

Pushed as commit 2780577.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
2 participants