When testing with Unsafe access denied, as JEP 498 indicated JDK 26 would have originally made it throw (though this seems to have been delayed), I noticed Sigstore silently failing to build the bundle.
Tested on JDK 25 and 26 with --sun-misc-unsafe-memory-access=deny parameter added.
Sigstore silently fails to build the bundle via Bundle#from(Reader) - it seems to be an uncaught exception here.
On JDKs 25 and 26, without the explicit denial, this warning is produced and sigstore completes normally:
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::arrayBaseOffset has been called by com.google.protobuf.UnsafeUtil$MemoryAccessor (file:/H:/Programming/astroimagej/AIJ-Run/ij.jar)
WARNING: Please consider reporting this to the maintainers of class com.google.protobuf.UnsafeUtil$MemoryAccessor
WARNING: sun.misc.Unsafe::arrayBaseOffset will be removed in a future release
Relates to a protobuf issue.
Overriding the protobuf version to 4.35.0 seems to workaround the issue as a user, producing the following warning:
Jun 24, 2026 4:21:43 PM com.google.protobuf.UnsafeUtil getUnsafe
WARNING: As part of the planned removal, sun.misc.Unsafe is available in the current environment but configured to throw on use. Protobuf will continue without using it, but with slightly reduced performance. --sun-misc-unsafe-memory-access=allow is likely available to opt back in if desired. A later Protobuf version release will stop using sun.misc.Unsafe entirely.
api("dev.sigstore:sigstore-java:2.2.0")
constraints {
implementation("com.google.protobuf:protobuf-java-util:4.35.0") {
because("previous versions use sun.misc.Unsafe which is deprecated and will be removed in future")
}
}
When testing with Unsafe access denied, as JEP 498 indicated JDK 26 would have originally made it throw (though this seems to have been delayed), I noticed Sigstore silently failing to build the bundle.
Tested on JDK 25 and 26 with
--sun-misc-unsafe-memory-access=denyparameter added.Sigstore silently fails to build the bundle via
Bundle#from(Reader)- it seems to be an uncaught exception here.On JDKs 25 and 26, without the explicit denial, this warning is produced and sigstore completes normally:
Relates to a protobuf issue.
Overriding the protobuf version to
4.35.0seems to workaround the issue as a user, producing the following warning: