Skip to content

Sigstore silently fails with Unsafe access disabled #1226

Description

@keastrid

When testing with Unsafe access denied, as JEP 498 indicated JDK 26 would have originally made it throw (though this seems to have been delayed), I noticed Sigstore silently failing to build the bundle.

Tested on JDK 25 and 26 with --sun-misc-unsafe-memory-access=deny parameter added.

Sigstore silently fails to build the bundle via Bundle#from(Reader) - it seems to be an uncaught exception here.

On JDKs 25 and 26, without the explicit denial, this warning is produced and sigstore completes normally:

WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::arrayBaseOffset has been called by com.google.protobuf.UnsafeUtil$MemoryAccessor (file:/H:/Programming/astroimagej/AIJ-Run/ij.jar)
WARNING: Please consider reporting this to the maintainers of class com.google.protobuf.UnsafeUtil$MemoryAccessor
WARNING: sun.misc.Unsafe::arrayBaseOffset will be removed in a future release

Relates to a protobuf issue.

Overriding the protobuf version to 4.35.0 seems to workaround the issue as a user, producing the following warning:

Jun 24, 2026 4:21:43 PM com.google.protobuf.UnsafeUtil getUnsafe
WARNING: As part of the planned removal, sun.misc.Unsafe is available in the current environment but configured to throw on use. Protobuf will continue without using it, but with slightly reduced performance. --sun-misc-unsafe-memory-access=allow is likely available to opt back in if desired. A later Protobuf version release will stop using sun.misc.Unsafe entirely.
api("dev.sigstore:sigstore-java:2.2.0")
    constraints {
        implementation("com.google.protobuf:protobuf-java-util:4.35.0") {
            because("previous versions use sun.misc.Unsafe which is deprecated and will be removed in future")
        }
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions