On Fri, 15 Oct 2021 14:02:15 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> The cacerts file is now a password-less PKCS12 file. This make sure old code >> that uses a JKS KeyStore object can continuously load it using a null >> password (in fact, any password) and see all certificates inside. > > make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > >> 72: cert = (X509Certificate) cf.generateCertificate(fis); >> 73: } >> 74: ks.setCertificateEntry(alias, cert); > > In the previous code, we always used a fixed date (cert's notBefore) for the > creation date. Now, it seems it will be always different and based on when it > was created. I'm not really sure if this is an issue in practice, but I think > it is worth thinking about a bit more - do you have any thoughts on this? If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-) ------------- PR: https://git.openjdk.java.net/jdk/pull/5948
