Signed jar file recognized in java 1.7.0_76 but not java 1.7.0_75

Question

I signed a jar file using the signer provided with jdk 1.7.0_71. This also worked previously until we updated from

X.509, CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa

to

X.509, CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa

Now we have the behaviour that the jar file is recognized as signed at 1.7.0_76 but not 1.7.0_75. The only difference I see is the generation.

Although I have the strong feeling that some security update similar to the topic described in Signing JAR files in the explorer showing "unsigned" when verifying them causes the problem I cannot find any proof.

Did somebody already stumble across a similar or the same problem and, more importantly, found a solution?

Answer 1

The problem was not the new certificate. It actually depended on two other factors.

1. The Java version from which the jarsigner was taken. If you take the jarsigner from some Java 8 JDK it can happen that it does not work any more with every Java 7 JRE as SHA256 is used at "Timestamp digest algorithm".
2. The URL used for timestamping. If you are using one which provides higher security (let's say SHA256) it does also not work any more with every Java 7 JRE as again SHA256 is used, now at "Timestamp signature algorithm".