The Jave developers are given more time regarding the JAR files that are signed with MD5 algorithm.Oracle wants to make sure that none of them exist. The Java Runtime Environment (JRE) will not support these types of files starting with the April of this year.
Back in October Oracle has announced their plans to stop trusting JAR files that are signed with the MD5 algorithm, which is now very well known to have a lot of collision vulnerabilities. Oracle has stopped using the MD5 as their default JAR signing option in 2006 itself and now the company want to take things even to next level.
From Java SE 8u131, that was scheduled to release with the April 2017 Critical Patch Update (CPU), the JAR files that are signed with MD5 will be treated as unsigned files and they will not be trusted anymore. Initially, Oracle had planned to stop trusting MD5-signed files from January 2017, but many developers have requested Oracle for additional time to prepare for the change.
Developers are advised to check if their JAR files are signed using MD5 and then re-sign them with any stronger algorithm or key size. They will be using the below command in Zip to remove existing MD5 signatures:
zip -d test.jar ‘META-INF/*.SF’ ‘META-INF/*.RSA’ ‘META-INF/*.DSA’
“If you are using JARS you did not sign or build yourself, you need to contact your vendor for more information,” explained Oracle’s Erik Costlow in October. “If it can no longer be established if a JAR you are using has been signed with MD5, the recommended practice is to re-sign affected JAR files using a more modern algorithm.”
They are other cryptography-related changes planned by Oracle this year for the JRE and JDK. They include disabling SHA-1 in certificate chains anchored by roots which is included by default in the JDK, and increasing the minimum key length for TLS and SSL to 1024 bits.
