8196415: Disable SHA-1 Signed JARs

[seanjmullan]

This change will restrict JARs signed with SHA-1 algorithms and treat them as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

• Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
• Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

All tests are in the closed repo for now.

CSR: https://bugs.openjdk.java.net/browse/JDK-8264362

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8196415: Disable SHA-1 Signed JARs

Reviewers

• Sean Coffey (@coffeys - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3700/head:pull/3700
$ git checkout pull/3700

Update a local copy of the PR:
$ git checkout pull/3700
$ git pull https://git.openjdk.java.net/jdk pull/3700/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3700

View PR using the GUI difftool:
$ git pr show -t 3700

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3700.diff

[bridgekeeper]

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@seanjmullan The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 00: Full (d33c5302)

[openjdk]

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8196415: Disable SHA-1 Signed JARs

Reviewed-by: coffeys

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 103 new commits pushed to the master branch:

• fbfd4ea: 8265914: Duplicated NotANode and not_a_node
• 9481fad: 8163367: Test javax/swing/JComboBox/8033069/bug8033069NoScrollBar.java javax/swing/JComboBox/8033069/bug8033069ScrollBar.java fails intermittently
• 9adbf15: 8265995: Shenandoah: Move ShenandoahInitMarkRootsClosure close to its use
• 879a77f: 8265757: stack-use-after-scope in perfMemory_posix.cpp get_user_name_slow()
• e4be968: 8265980: Fix systemDictionary and loaderConstraints printing
• f6e26f6: 8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
• 0a4c338: 8263432: javac may report an invalid package/class clash on case insensitive filesystems
• 82b3719: 8265967: Unused NullCheckNode forward declaration in node.hpp
• 468c847: 8234020: Remove FullGCCount_lock
• 4785e11: 8264806: Remove the experimental JIT compiler
• ... and 93 more: https://git.openjdk.java.net/jdk/compare/da860290c2657c0fb1de8c77c8dffdb35f1cf938...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[seanjmullan]

/integrate

[openjdk]

@seanjmullan Since your change was applied there have been 143 commits pushed to the master branch:

• 21f65f8: 8266206: Build failure after JDK-8264752 with older GCCs
• c71c268: 8266165: TestNoWarningLoopStripMiningIterSet is runnable only on VM w/ G1, Shenandoah, Z and Epsilon
• 8954bef: 8266188: mark hotspot compiler/cpuflags tests which ignore VM flags
• 19d3c45: 8266184: a few compiler/debug tests don't check exit code
• 7e3bc4c: 8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine"
• f40bf1d: 8266087: Move 'buffer' declaration in get_user_name_slow() inside of linux specific code
• ec383ab: 8183374: Refactor java/lang/Runtime shell tests to java
• 343a4a7: 8185127: Add tests to cover hashCode() method for java supported crypto key types
• e325a75: 8264593: debug.cpp utilities should be available in product builds.
• e879f8c: 8265587: IGV: track nodes across matching
• ... and 133 more: https://git.openjdk.java.net/jdk/compare/da860290c2657c0fb1de8c77c8dffdb35f1cf938...master

Your commit was automatically rebased without conflicts.

Pushed as commit 2780577.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.