On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change adds an API note to these methods recommending that the caller > should perform further validation steps on the code signers that signed the > JAR file, such as validating the code signer's certificate chain, and > determining if the signer should be trusted. There was already a similar > warning in the `JarFile` and `JarInputStream` class descriptions, but this > adds a similar and more direct warning at the methods that return the code > signer's certificates. > > 2 other smaller changes: > - In `JarEntry.getCertificates`, added a recommendation to use the > `getCodeSigners` method instead > - Added details of the order of the returned certificates to > `JarURLConnection.getCertificates` (copied from `JarEntry.getCertificates`) This pull request has now been integrated. Changeset: 577ff98a Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/577ff98a6733a99ea49510f15d631beff39c34a5 Stats: 38 lines in 3 files changed: 32 ins; 0 del; 6 mod 8347946: Add API note that caller should validate/trust signers to the getCertificates and getCodeSigners methods of JarEntry and JarURLConnection Reviewed-by: lancea, jpai ------------- PR: https://git.openjdk.org/jdk/pull/23616
