[ UPDATE ] Oracle has just revised the cryptographic map ( https://www.java.com/en/jre-jdk-cryptoroadmap.html ), they will not blame SHA -1 for code binding: 2017-03-14 Target date changed from 2017-04-18 to 2017-07-18. Narrowed scope from all SHA-1 usage: only TLS will be affected, *code signing will not not be affected at this time*. 2017-03-14 Target date changed from 2017-04-18 to 2017-07-18. Narrowed scope from all SHA-1 usage: only TLS will be affected, *code signing will not not be affected at this time*.
This in no way affects the exact answer that I received below, since it will be applied, no doubt, in the future.
-
Original post:
Trying to run our Java application deployed by Webstart on JRE 9 ea 153 , I get the following popup:
In further details, I see that the certificate will still be valid for some time:
so I wonder if the reason for abandoning SHA1 is?
It certainly sounds like a policy in line with (by other people in the industry ), but the message doesnβt really sound neophyte-friendly (especially if it is intended for end users), so I left bewilderment.
I was looking for a roadmap. This is what I found, but I'm not sure if I am interpreting this paragraph correctly:
Disable SHA-1 in certificate chains anchored by roots included by default in Oracle JDK; local or enterprise CAs are not affected. Signed code that is timestamped before 2017-01-01 is not affected.
as a cause of failure above. I would really appreciate confirmation.
FWIW, our certificate is issued by CA, which I believe is different from enterprise CA.
Thanks.
source share