On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change adds an API note to these methods recommending that the caller > should perform further validation steps on the code signers that signed the > JAR file, such as validating the code signer's certificate chain, and > determining if the signer should be trusted. There was already a similar > warning in the `JarFile` and `JarInputStream` class descriptions, but this > adds a similar and more direct warning at the methods that return the code > signer's certificates. > > 2 other smaller changes: > - In `JarEntry.getCertificates`, added a recommendation to use the > `getCodeSigners` method instead > - Added details of the order of the returned certificates to > `JarURLConnection.getCertificates` (copied from `JarEntry.getCertificates`) Hello Sean, given the assertable change to the API documentation of `java.net.JarURLConnection.getCertificates()`, which now specifies the order of the returned certificates, would this require a CSR? ------------- PR Comment: https://git.openjdk.org/jdk/pull/23616#issuecomment-2658490788
