When this blog was originally posted the change was
Beginning with the April 2017 Critical Patch Update, JAR files
signed using MD5 will no longer be considered as signed by the Oracle
JRE. Affected MD5-signed JAR files will no longer be considered trusted
and as a result will not be able to run by default, such as in the case
of Java applets, or Java Web Start applications.
This change in the JRE behavior is required because MD5 is no
longer considered secure and is widely considered unsuitable for
security use. In fact, the MD5 with RSA algorithm stopped being the
default JAR signing option with Java SE 6 released back in 2006. It is
critical that weak hashing algorithms (such as MD5) be deprecated when
they are known to be weak so as to maintain the trust in the
verification mechanism they provide.
This change affecting MD5-signed JARS will be enabled by default no
sooner than with Oracle Java SE 8u131 which will be released with the
April 2017 Critical Patch Update, as well as in the corresponding
releases of Oracle Java SE 7, Oracle Java SE 6 and Oracle JRockit R28,
which will be available to qualified customers through My Oracle
In order to prepare for this upcoming change, developers need to
verify that their JAR files have not been signed using MD5. You can do
this with your own JARs by verifying your build process signs JARs using
Java 6 or later without having deliberately chosen MD5. If you are
using JARS you did not sign or build yourself, you need to contact your
vendor for more information. If it can no longer be established if a
JAR you are using has been signed with MD5, the recommended practice is
to re-sign affected JAR files using a more modern algorithm. Be sure to
remove any existing MD5 signatures first before re-signing using the
zip utility as follows:
zip -d test.jar 'META-INF/*.SF'
More technical information can be found in the October 2016 Critical Patch Update Release Notes for Java SE.
Oracle has already informed a number of software vendors, including
source licensees, of the upcoming changes. Users concerned about the
effect of this change on third party applications should contact their
Cryptography is a dynamic field. In order to keep users and
developers informed about upcoming changes in this area, Oracle has
recently published a new web page at java.com/cryptoroadmap.
This page provides information about upcoming cryptographic changes in
Oracle JRE and Oracle JDK, and related technical instructions.