Skip to content

Skip jarsigner test due to weak signatures

Jochen Sprickerhof requested to merge jspricke/fdroidserver:fix_new_jdk into master

openjdk-11 11.0.17 in Debian unstable fails to verify weak signatures:

jarsigner -verbose -strict -verify tests/signindex/guardianproject.jar

     131 Fri Dec 02 20:10:00 CET 2016 META-INF/MANIFEST.MF
     252 Fri Dec 02 20:10:04 CET 2016 META-INF/1.SF
    2299 Fri Dec 02 20:10:04 CET 2016 META-INF/1.RSA
       0 Fri Dec 02 20:09:58 CET 2016 META-INF/

m ? 48743 Fri Dec 02 20:09:58 CET 2016 index.xml

s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore ? = unsigned entry

  • Signed by "EMAILADDRESS=root@guardianproject.info, CN=guardianproject.info, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US" Digest algorithm: SHA1 (disabled) Signature algorithm: SHA1withRSA (disabled), 4096-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01, include jdk.disabled.namedCurves

Merge request reports