Question
asurion
US
Last activity: 10 Feb 2017 4:08 EST
MD5 signing
Does any of the Pega OOB jars use MD5 signing
***Updated by Moderator: Marissa to update title***
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Accepted Solution
Pegasystems Inc.
US
To answer the question:
Q) Does any of the Pega OOB jars use MD5 signing?
A) To determine if a JAR file is signed, unjar the file:
jar -xvf jarfile.jar
And look inside the MANIFEST directory. Specifically, look for:
- a Signature file (filename.sf)
- a Signature Block File (filename.dsa)
The presence of these files indicate that the jar file is signed.
Examining a few jar files from the Process Commander 7.1.9 release, I dont find any of these files.
I have also examined many jar files from the Process Commander 5 and 6 implementations, and never found these files.
Consulting with my peers, the answer is no - we do not sign the files.
FOR YOUR INFORMATION
- re: JAR File Signing (jarsign)
https://courses.cs.washington.edu/courses/cse341/98au/java/jdk1.2beta4/docs/tooldocs/solaris/jarsigner.html
- Oracle Now Discourages the use of JAR Signing
https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer
http://www.infoworld.com/article/3159186/security/oracle-to-java-devs-stop-signing-jar-files-with-md5.html
To answer the question:
Q) Does any of the Pega OOB jars use MD5 signing?
A) To determine if a JAR file is signed, unjar the file:
jar -xvf jarfile.jar
And look inside the MANIFEST directory. Specifically, look for:
- a Signature file (filename.sf)
- a Signature Block File (filename.dsa)
The presence of these files indicate that the jar file is signed.
Examining a few jar files from the Process Commander 7.1.9 release, I dont find any of these files.
I have also examined many jar files from the Process Commander 5 and 6 implementations, and never found these files.
Consulting with my peers, the answer is no - we do not sign the files.
FOR YOUR INFORMATION
- re: JAR File Signing (jarsign)
https://courses.cs.washington.edu/courses/cse341/98au/java/jdk1.2beta4/docs/tooldocs/solaris/jarsigner.html
- Oracle Now Discourages the use of JAR Signing
https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer
http://www.infoworld.com/article/3159186/security/oracle-to-java-devs-stop-signing-jar-files-with-md5.html
Pegasystems Inc.
GB
Hello: can you clarify about whether the PRPC JARs shipped are signed with MD5 - or whether there is an facility to allow you to generate MD5 signatures from PRPC ?
If the former: I don't believe our JARs are (in general) signed (but I could be wrong about that) - for the latter - you can generate MD5 (etc) from Java and therefore from PRPC.
Thanks !
John
asurion
US
Thanks John, I have learnt that out of the box Pega Jars are unsigned .
Accepted Solution
Pegasystems Inc.
US
To answer the question:
Q) Does any of the Pega OOB jars use MD5 signing?
A) To determine if a JAR file is signed, unjar the file:
jar -xvf jarfile.jar
And look inside the MANIFEST directory. Specifically, look for:
- a Signature file (filename.sf)
- a Signature Block File (filename.dsa)
The presence of these files indicate that the jar file is signed.
Examining a few jar files from the Process Commander 7.1.9 release, I dont find any of these files.
I have also examined many jar files from the Process Commander 5 and 6 implementations, and never found these files.
Consulting with my peers, the answer is no - we do not sign the files.
FOR YOUR INFORMATION
- re: JAR File Signing (jarsign)
https://courses.cs.washington.edu/courses/cse341/98au/java/jdk1.2beta4/docs/tooldocs/solaris/jarsigner.html
- Oracle Now Discourages the use of JAR Signing
https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer
http://www.infoworld.com/article/3159186/security/oracle-to-java-devs-stop-signing-jar-files-with-md5.html
To answer the question:
Q) Does any of the Pega OOB jars use MD5 signing?
A) To determine if a JAR file is signed, unjar the file:
jar -xvf jarfile.jar
And look inside the MANIFEST directory. Specifically, look for:
- a Signature file (filename.sf)
- a Signature Block File (filename.dsa)
The presence of these files indicate that the jar file is signed.
Examining a few jar files from the Process Commander 7.1.9 release, I dont find any of these files.
I have also examined many jar files from the Process Commander 5 and 6 implementations, and never found these files.
Consulting with my peers, the answer is no - we do not sign the files.
FOR YOUR INFORMATION
- re: JAR File Signing (jarsign)
https://courses.cs.washington.edu/courses/cse341/98au/java/jdk1.2beta4/docs/tooldocs/solaris/jarsigner.html
- Oracle Now Discourages the use of JAR Signing
https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer
http://www.infoworld.com/article/3159186/security/oracle-to-java-devs-stop-signing-jar-files-with-md5.html
asurion
US
Thanks for the detailed explanation and sharing the articles , As per the communication from oracle that new patches after April 17 are not supported with MD5 signing we are checking the applications that run on java ( i.e PRPC, TIBCO) and making sure they are not signed using MD5 hash algorithm. We have checked the custom jar files we own and signing them with more advanced SHA-2 algorithm.