JDK/JRE 1.8.0_131 release introduced a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned.
e.g.)
- 1.8.0.121
$ /usr/java/jdk1.8.0_121/bin/jarsigner -verbose -verify /opt/SYMCScan/bin/guijar.jar
...
- Signed by "CN=Symantec Corporation, OU=IT_Security, O=Symantec Corporation, L=Pune, ST=Maharashtra, C=IN"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA, 2048-bit key
jar verified.
- 1.8.0.131
$ /usr/java/jdk1.8.0_131/bin/jarsigner -verbose -verify /opt/SYMCScan/bin/guijar.jar
...
- Signed by "CN=Symantec Corporation, OU=IT_Security, O=Symantec Corporation, L=Pune, ST=Maharashtra, C=IN"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Please apply re-signed jar files, which are attached herewith.
1. Stop the Symantec Protection Engine service.
2. Go to the Symantec Protection Engine installation directory.
Default path for Windows: C:\Program Files (x86)\Symantec\Scan Engine
Default path for Linux/Solaris: /opt/SYMCScan/bin/
3. Take the back up of the following JARs from the installation directory.
- certinstall.jar
- guijar.jar
- serializer.jar
- servers.jar
- xalan.jar
- xercesImpl.jar
- xml-apis.jar
4. Replace the JARs with JARs provided in the hotfix
5. Make sure that the permissions and ownershp of all the newly copied files are same as the backed up files.
6. Start the Symantec Protection Engine service and access the console.