Update notice When this blog post was originally posted the change was scheduled to occur with the January 2017 Critical Patch Update. In response to requests for additional time to prepare for this change Oracle now plans to deliver this change with the April 2017 Critical Patch Update. The post has been updated accordingly.

Beginning with the April 2017 Critical Patch Update, JAR files signed using MD5 will no longer be considered as signed by the Oracle JRE. Affected MD5-signed JAR files will no longer be considered trusted and as a result will not be able to run by default, such as in the case of Java applets, or Java Web Start applications.

This change in the JRE behavior is required because MD5 is no longer considered secure and is widely considered unsuitable for security use. In fact, the MD5 with RSA algorithm stopped being the default JAR signing option with Java SE 6 released back in 2006. It is critical that weak hashing algorithms (such as MD5) be deprecated when they are known to be weak so as to maintain the trust in the verification mechanism they provide.

This change affecting MD5-signed JARS will be enabled by default no sooner than with Oracle Java SE 8u131 which will be released with the April 2017 Critical Patch Update, as well as in the corresponding releases of Oracle Java SE 7, Oracle Java SE 6 and Oracle JRockit R28, which will be available to qualified customers through My Oracle Support.

In order to prepare for this upcoming change, developers need to verify that their JAR files have not been signed using MD5. You can do this with your own JARs by verifying your build process signs JARs using Java 6 or later without having deliberately chosen MD5. If you are using JARS you did not sign or build yourself, you need to contact your vendor for more information. If it can no longer be established if a JAR you are using has been signed with MD5, the recommended practice is to re-sign affected JAR files using a more modern algorithm. Be sure to remove any existing MD5 signatures first before re-signing using the zip utility as follows:

zip -d test.jar 'META-INF/*.SF'

'META-INF/*.RSA' 'META-INF/*.DSA'

More technical information can be found in the October 2016 Critical Patch Update Release Notes for Java SE.

Oracle has already informed a number of software vendors, including source licensees, of the upcoming changes. Users concerned about the effect of this change on third party applications should contact their respective vendor.

Cryptography is a dynamic field. In order to keep users and developers informed about upcoming changes in this area, Oracle has recently published a new web page at java.com/cryptoroadmap. This page provides information about upcoming cryptographic changes in Oracle JRE and Oracle JDK, and related technical instructions.