David Hook
David Hook
The tool is clearly faulty, or it is not scanning the jars you think it is. The CVE does not apply to 1.0.2.4.
Appears settled.
Are you able to provide a (non-BC) SHA-3 signed document?
Hmm. Possibly, change should appear on github shortly, but try what's in https://www.bouncycastle.org/betas and let me know how it goes.
Looking at the stack traces these aren't using the BC zip library. Is it possible to provide something that reproduces the issue? I think the changes are coincidental, it's likely...
I think we could better document this - the reason for it happening is because the BC PGP API is a streaming API, so order of events is tied in...
Thanks for the patch. Merged!
Inactive.
The jar is signed using the JCE signing certificate, this is embedded in the JVM but not something jarsigner has access to. Signing certificates can be obtained through IBM or...
Yes. The SubjectPublicKeyInfo structure contains additional data as well as the point values.