[UPDATE] Oracle just revised the crypto roadmap (https://www.java.com/en/jre-jdk-cryptoroadmap.html), they will not deprecate SHA-1 for codesigning: 2017-03-14 Target date changed from 2017-04-18 to 2017-07-18. Narrowed scope from all SHA-1 usage: only TLS will be affected, *code signing will not not be affected at this time*.
This does not affect, in any way, the fine answer I received below, as it will apply, no doubt, in the future.
--
Original post:
Attempting to run our Webstart-deployed Java application on JRE 9 ea 153
, I get the following popup:
Looking further at details, I see that the certificate will still be valid for a while:
, therefore, I am wondering if deprecating SHA1 is the reason?
This certainly does sound like a policy in line with (others' in the industry), but the message doesn't really sound neophyte-friendly (especially if it is meant to face end-users), so I am left wondering.
I looked for a roadmap. This is what I found, but I'm not sure whether I'm interpreting correctly this paragraph correctly:
Disable SHA-1 in certificate chains anchored by roots included by default in Oracle's JDK; local or enterprise CAs are not affected. Signed code that is timestamped before 2017-01-01 is not affected.
as the reason for the failure above. I would very much appreciate a confirmation.
FWIW, our certificate is issued by a CA, which I presume is different from an "enterprise" CA.
Thank you.
If that signed Jar is meant to be used by end-users there is no way a package that was SHA1 signed in 2017 is going to work.
Phasing out SHA1 was announced a long time ago. Only way would be to install a local CA or something, but that is not going to happen on end-user machines (neither should it).
To sign a Jar for your end-users you need a new valid SHA-256 Cert from your CA, and re-sign any Jar that was signed with the old one AFTER 31.12.2016. Your cert would have expired in a few month anyway.
Whether you have to dualsign your jars depends on the oldest JVM version you are targeting. As far as i understand it anything >=1.4.2 supports SHA-256. If you want to target even older Versions (hell when i started programming java 1.5 was already considered OLD) you would need something like dual-signing. More Information can be found here and here
"How to dual sign a jar" is probably a new topic because it is hardly related to this question i think.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With