Please rotate signing key on released jars

[xnox]

$ jarsigner -verify AmazonCorrettoCryptoProvider-2.5.0.jar 

jar is unsigned.

$ jarsigner -verify bc-fips-2.1.2.jar 

The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.

Re-run jarsigner with the -verbose option for more details.

$ jarsigner -verify -verbose bc-fips-2.1.2.jar 2>&1 | tail -n 4

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA denyAfter 2023-02-03, SHA1 denyAfter 2019-01-01

bc-fips appears to be (ultimately) only signed using DSA signature, also note that said cert is expiring very soon "Jan 25 00:58:59 2027 GMT"

Please generate a new signing certificate, with RSA 4096 bits public key, and produce RSA signatures.

Note the bc-fips jar appears to be single signed, if needed one can also keep the DSA signatures, in addition to RSA signatures, by running jarsigner multiple times.

Note that FIPS 186-5 was published on 2023-02-03 and prohibits generating any new signatures, and prohibits validating signatures created after that date. Given the DSA signature was timestamped on Mon Sep 22 11:31:05 UTC 2025 it is invalid for verification by FIPS systems.