Java 9 deprecating SHA1 certificates, or another issue at work?

Question

[UPDATE] Oracle just revised the crypto roadmap (https://www.java.com/en/jre-jdk-cryptoroadmap.html), they will not deprecate SHA-1 for codesigning

Answer 1

If that signed Jar is meant to be used by end-users there is no way a package that was SHA1 signed in 2017 is going to work.

Phasing out SHA1 was announced a long time ago. Only way would be to install a local CA or something, but that is not going to happen on end-user machines (neither should it).

To sign a Jar for your end-users you need a new valid SHA-256 Cert from your CA, and re-sign any Jar that was signed with the old one AFTER 31.12.2016. Your cert would have expired in a few month anyway.

Whether you have to dualsign your jars depends on the oldest JVM version you are targeting. As far as i understand it anything >=1.4.2 supports SHA-256. If you want to target even older Versions (hell when i started programming java 1.5 was already considered OLD) you would need something like dual-signing. More Information can be found here and here

"How to dual sign a jar" is probably a new topic because it is hardly related to this question i think.