Java 9弃用SHA1证书，还是其他问题在起作用？ [英] Java 9 deprecating SHA1 certificates, or another issue at work?

问题描述

[更新] Oracle刚刚修改了加密路线图（

进一步了解细节，我看到证书在一段时间内仍然有效：

，因此，我想知道是否

这确实听起来像是一项符合（业内的其他人），但该消息听起来并不是对新手友好的（特别是如果是要面对最终用户），那么我就纳闷了。

我在寻找路线图。 这是我找到的，但是我不确定是否我'm正确地解释了此段：

在默认情况下，禁用由Oracle JDK包含的根锚定的证书链中的SHA-1；本地或企业CA不受影响。时间戳在2017年1月1日之前签名的代码不会受到影响。

是上述失败的原因。我非常感谢您的确认。

FWIW，我们的证书是由CA颁发的，我认为它不同于企业 CA。

谢谢。

解决方案

如果该签名的Jar供最终用户使用，则没有办法打包是SHA1于2017年签署的协议。

逐步淘汰SHA1是很久以前宣布的。
唯一的方法是安装本地CA或类似的东西，但这不会在最终用户计算机上发生（也不应该）。

到为最终用户签名一个Jar，您需要从您的CA处获得一个新的有效SHA-256证书，并重新签名在2016年12月31日之后与旧签名的任何Jar。
无论如何，您的证书将在几个月后过期。

是否必须对jar进行双重签名取决于您所针对的最旧的JVM版本。据我了解，任何> = 1.4.2都支持SHA-256。如果您想定位甚至更旧的版本（在我开始编程Java 1.5时，它已经被认为是OLD），那么您将需要双重签名。可以在此处和在这里

如何对符号进行双重签名jar可能是一个新话题，因为它与我认为的问题几乎无关。

[UPDATE] Oracle just revised the crypto roadmap (https://www.java.com/en/jre-jdk-cryptoroadmap.html), they will not deprecate SHA-1 for codesigning: 2017-03-14 Target date changed from 2017-04-18 to 2017-07-18. Narrowed scope from all SHA-1 usage: only TLS will be affected, *code signing will not not be affected at this time*.

This does not affect, in any way, the fine answer I received below, as it will apply, no doubt, in the future.

--

Original post:

Attempting to run our Webstart-deployed Java application on JRE 9 ea 153, I get the following popup:

Looking further at details, I see that the certificate will still be valid for a while:

, therefore, I am wondering if deprecating SHA1 is the reason?

This certainly does sound like a policy in line with (others' in the industry), but the message doesn't really sound neophyte-friendly (especially if it is meant to face end-users), so I am left wondering.

I looked for a roadmap. This is what I found, but I'm not sure whether I'm interpreting correctly this paragraph correctly:

Disable SHA-1 in certificate chains anchored by roots included by default in Oracle's JDK; local or enterprise CAs are not affected. Signed code that is timestamped before 2017-01-01 is not affected.

as the reason for the failure above. I would very much appreciate a confirmation.

FWIW, our certificate is issued by a CA, which I presume is different from an "enterprise" CA.

Thank you.

解决方案

If that signed Jar is meant to be used by end-users there is no way a package that was SHA1 signed in 2017 is going to work.

Phasing out SHA1 was announced a long time ago. Only way would be to install a local CA or something, but that is not going to happen on end-user machines (neither should it).

To sign a Jar for your end-users you need a new valid SHA-256 Cert from your CA, and re-sign any Jar that was signed with the old one AFTER 31.12.2016. Your cert would have expired in a few month anyway.

Whether you have to dualsign your jars depends on the oldest JVM version you are targeting. As far as i understand it anything >=1.4.2 supports SHA-256. If you want to target even older Versions (hell when i started programming java 1.5 was already considered OLD) you would need something like dual-signing. More Information can be found here and here

"How to dual sign a jar" is probably a new topic because it is hardly related to this question i think.

这篇关于Java 9弃用SHA1证书，还是其他问题在起作用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！