Since which java version SHA-256 and SHA256withRSA are supported for timestamp at signed jar files

Question

I have the following entry in the signature of my jar file

Timestamped by "CN=GlobalSign TSA for Advanced - G3 - 001-02, O=GMO GlobalSign K.K., C=JP" on Mo Apr 10 11:48:34 UTC 2017
 Timestamp digest algorithm: SHA-256
 Timestamp signature algorithm: SHA256withRSA, 2048-bit key

I already found out that the SHA-256 at the timestamp digest algoirthm and the SHA256withRSA at the timestamp signature algorithm are causing problems when running the jar file on a system which java version is below 1.7.0_76 (jar file is treaded as unsigned).

Can somebody tell me from which java versions on these two algorithms are supported at the timestamp digest and at the timestamp signature?

Answer 1

Java version below 1.7.0_76 not supporting SHA-256 for timestamping caused by https://bugs.openjdk.java.net/browse/JDK-8049480 (The fix included in 1.7.0_76 http://www.oracle.com/technetwork/java/javase/2col/7u76-bugfixes-2389098.html )

From "Oracle JRE and JDK Cryptographic Roadmap", SHA-1 still not be planned to disable on code signing.

So I think the best choice (to support old Java version) for now is using SHA-1 as Timestamping algorithm. (Use below 8u101, 7u111 for signing OR Use the -tsadigestalg option on 8u101, 7u111 or above)

I have tested jar file signed with

Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamp digest algorithm: SHA-1
Timestamp signature algorithm: SHA1withRSA, 2048-bit key

work fine with Java 7, 8, 9(ea+174)

Answer 2

One solution would be to just not time-stamp the jar file. Waiting for some better recommendation...