On Tue, 20 Sep 2022 17:53:27 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> Now that this API has a section about signed JARs, I think it is very > important to include the following sentences which are copied from `JarFile`: > > "Please note that the verification process does not include validating the > signer's certificate. A caller should inspect the return value of > [JarEntry.getCodeSigners()](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/util/jar/JarEntry.html#getCodeSigners()) > to further determine if the signature can be trusted." Add the note per your request ------------- PR: https://git.openjdk.org/jdk/pull/10045