On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change adds an API note to these methods recommending that the caller > should perform further validation steps on the code signers that signed the > JAR file, such as validating the code signer's certificate chain, and > determining if the signer should be trusted. There was already a similar > warning in the `JarFile` and `JarInputStream` class descriptions, but this > adds a similar and more direct warning at the methods that return the code > signer's certificates. > > 2 other smaller changes: > - In `JarEntry.getCertificates`, added a recommendation to use the > `getCodeSigners` method instead > - Added details of the order of the returned certificates to > `JarURLConnection.getCertificates` (copied from `JarEntry.getCertificates`) Marked as reviewed by lancea (Reviewer). ------------- PR Review: https://git.openjdk.org/jdk/pull/23616#pullrequestreview-2618386370
