Since Java version SHA-256 and SHA256withRSA are supported for time stamping in signed jar files
I have the following entry in the signature of my jar file
Timestamped by "CN=GlobalSign TSA for Advanced - G3 - 001-02, O=GMO GlobalSign K.K., C=JP" on Mo Apr 10 11:48:34 UTC 2017
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
I already found out that SHA-256 in the timestamp digest algoirthm and SHA256withRSA in the timestamp signing algorithm cause problems when running the jar file on a system whose java version is lower than 1.7.0_76 (the jar file is leaking unsigned).
Can anyone tell me which Java versions of these two algorithms are supported in the timestamp digest and timestamp signature?
source to share
Java version below 1.7.0_76 does not support SHA-256 for timestamp called https://bugs.openjdk.java.net/browse/JDK-8049480 (Fix included in 1.7.0_76 http://www.oracle.com/ technetwork / java / javase / 2col / 7u76-bugfixes-2389098.html )
From the Oracle JRE and JDK Cryptographic Roadmap, SHA-1 is still not planned to be disabled at code signing.
So, I believe the best choice (for supporting older Java version) at the moment is using SHA-1 as the Timestamping algorithm. (Use below 8u101, 7u111 for signing OR Use the -tsadigestalg option on 8u101, 7u111 or above)
I have tested a jar file signed with
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamp digest algorithm: SHA-1
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
works fine with Java 7, 8, 9 (ea + 174)
source to share