[FEATURE] Please promptly update the intact taco file with a valid signature

Dear esteemed brother

The signature of the AWS DocumentDB connector file you uploaded has expired. As a result, I am currently using the command -DDisableVerifyConnectorPluginSignature=true forcefully. I believe, as much as you do, that this is not an ideal solution.

I kindly request you to promptly update the signature on the intact taco file. I implore you to save me from this situation.

@birschick-bq

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Hi, I'm from the connectivity team at Tableau. The signature for the DocumentDB taco is indeed invalid. Looking at the jarsigner output, it's not actually because the certs expired, but because it was signed using an algorithm that newer versions of java do not deem secure and thus reject. The taco will need to be re-signed with a stronger encryption, and then checked against jarsigner -verify --certs --verbose --strict.

jarsigner output:

D:\dev\monolith>jarsigner -verify --strict --verbose --certs C:\Users\pvanderknyff\Downloads\documentdbjdbc-1.4.4.taco
     558 Thu Jan 06 23:36:38 PST 2022 META-INF/MANIFEST.MF
     693 Thu Jan 06 23:36:38 PST 2022 META-INF/JAVASPEC.SF
    9005 Thu Jan 06 23:36:38 PST 2022 META-INF/JAVASPEC.RSA
       0 Thu Jan 06 23:24:36 PST 2022 META-INF/
m ? 2809 Thu Jan 06 23:24:36 PST 2022 manifest.xml m ? 6325 Thu Jan 06 23:24:08 PST 2022 connection-fields.xml m ? 204 Thu Jan 06 23:24:08 PST 2022 connection-metadata.xml m ? 1311 Thu Jan 06 23:24:08 PST 2022 connectionResolver.tdr m ? 164 Thu Jan 06 23:24:08 PST 2022 connectionBuilder.js m ? 2530 Thu Jan 06 23:24:08 PST 2022 connectionProperties.js m ? 34538 Thu Jan 06 23:24:08 PST 2022 dialect.tdd

s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore ? = unsigned entry

Signed by "CN=Amazon.com Services LLC, O=Amazon.com Services LLC, L=Seattle, ST=Washington, C=US" Digest algorithm: SHA1 (disabled) Signature algorithm: SHA1withRSA (disabled), 3072-bit key Timestamped by "CN=DigiCert Timestamp 2021, O="DigiCert, Inc.", C=US" on Thu Jan 06 23:36:38 UTC 2022 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01, include jdk.disabled.namedCurves

D:\dev\monolith>java -version openjdk version "11.0.20" 2023-07-18 LTS OpenJDK Runtime Environment Zulu11.66+16-SA (build 11.0.20+8-LTS) OpenJDK 64-Bit Server VM Zulu11.66+16-SA (build 11.0.20+8-LTS, mixed mode)

Hey thank you for reaching out to me! We are working on this and will have the package updated soon.

Narek Gevorgyan | Technology / Product Guy

Mobile: +1 512-661-1849

LinkedIn https://www.linkedin.com/in/narekgev/

On Tue, May 7, 2024 at 2:57 PM pvanderknyff @.***> wrote:

Hi, I'm from the connectivity team at Tableau. The signature for the DocumentDB taco is indeed invalid. Looking at the jarsigner output, it's not actually because the certs expired, but because it was signed using an algorithm that newer versions of java do not deem secure and thus reject. The taco will need to be re-signed with a stronger encryption, and then checked against jarsigner -verify --certs --verbose --strict.

jarsigner outpu:

D:\dev\monolith>jarsigner -verify --strict --verbose --certs C:\Users\pvanderknyff\Downloads\documentdbjdbc-1.4.4.taco
 558 Thu Jan 06 23:36:38 PST 2022 META-INF/MANIFEST.MF
 693 Thu Jan 06 23:36:38 PST 2022 META-INF/JAVASPEC.SF
9005 Thu Jan 06 23:36:38 PST 2022 META-INF/JAVASPEC.RSA
   0 Thu Jan 06 23:24:36 PST 2022 META-INF/
m ? 2809 Thu Jan 06 23:24:36 PST 2022 manifest.xml m ? 6325 Thu Jan 06 23:24:08 PST 2022 connection-fields.xml m ? 204 Thu Jan 06 23:24:08 PST 2022 connection-metadata.xml m ? 1311 Thu Jan 06 23:24:08 PST 2022 connectionResolver.tdr m ? 164 Thu Jan 06 23:24:08 PST 2022 connectionBuilder.js m ? 2530 Thu Jan 06 23:24:08 PST 2022 connectionProperties.js m ? 34538 Thu Jan 06 23:24:08 PST 2022 dialect.tdd

s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore ? = unsigned entry

Signed by "CN=Amazon.com Services LLC, O=Amazon.com Services LLC, L=Seattle, ST=Washington, C=US" Digest algorithm: SHA1 (disabled) Signature algorithm: SHA1withRSA (disabled), 3072-bit key Timestamped by "CN=DigiCert Timestamp 2021, O="DigiCert, Inc.", C=US" on Thu Jan 06 23:36:38 UTC 2022 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01, include jdk.disabled.namedCurves

D:\dev\monolith>java -version openjdk version "11.0.20" 2023-07-18 LTS OpenJDK Runtime Environment Zulu11.66+16-SA (build 11.0.20+8-LTS) OpenJDK 64-Bit Server VM Zulu11.66+16-SA (build 11.0.20+8-LTS, mixed mode)

— Reply to this email directly, view it on GitHub https://github.com/aws/amazon-documentdb-jdbc-driver/issues/564#issuecomment-2099381233, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAATJNT37DJVM6T57FGBGGLZBFE3RAVCNFSM6AAAAABDQVTHUSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJZGM4DCMRTGM . You are receiving this because you are subscribed to this thread.Message ID: @.***>

aws / amazon-documentdb-jdbc-driver