Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the Microsoft Identity Verification Root CA 2020 #23360

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add the Microsoft Identity Verification Root CA 2020 #23360

wants to merge 1 commit into from

Conversation

ebourg
Copy link
Contributor

@ebourg ebourg commented Jan 29, 2025
edited by openjdk bot
Loading

Hi,

Microsoft launched a new code signing service last year called Azure Trusted Signing. This service differs from the traditional code signing PKI because Microsoft manages the root CA directly and uses it to issue short-lived signing certificates (valid for only 3 days). Users no longer have to purchase or renew a code signing certificate every few years, the service operates on a monthly subscription model.

The new root certificate has been deployed to Windows 7 through Windows 11 via system updates and can now be used for signing Windows applications.

However Azure Trusted Signing cannot be used for signing JAR files, as its root CA is neither included in the Java truststore nor cross-signed by an existing CA already present in the truststore.

I'm therefore suggesting adding the Microsoft Identity Verification Root CA 2020 certificate to the Java truststore. The rationale is that if this certificate is trusted for signing Windows applications, it could also be considered trustworthy for signing Java applications.

The root certificate is listed on the Microsoft PKI repository, its SHA-1 thumbprint is f40042e2e5f7e8ef8189fed15519aece42c3bfa2.

Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/23360/head:pull/23360
$ git checkout pull/23360

Update a local copy of the PR:
$ git checkout pull/23360
$ git pull https://git.openjdk.org/jdk.git pull/23360/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 23360

View PR using the GUI difftool:
$ git pr show -t 23360

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/23360.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Jan 29, 2025

👋 Welcome back ebourg! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Jan 29, 2025

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@openjdk
Copy link

openjdk bot commented Jan 29, 2025

@ebourg The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security [email protected]
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ebourg