Thanks for the reply.
I have only learned just enough about code signing so I could sign this jar for a project so there are definitely gaps in my knowledge.
The link to the oracle forum mentioned the digital signature thing which was I brought it up. I did run:
keytool -list -v -alias "my alias" -keystore mykeystore.p12 -storetype pkcs12
I only saw the following in the KeyUsage section:
#3: ObjectId: 220.127.116.11 Criticality=false
When I respond to the customer I am definitely going to bring up the dangers of having out of date Java, particularly with the recently found exploit. I just wanted to make sure I understood what other options I had to figure this problem out.