Java 1.5 added an enhancement to support signature timestamps. The idea, as far as I can tell, is that signed jar files should not become invalid just because the code signing certificate has expired, as long as the files were signed while the certificate was valid. In theory, this means we do not have to re-sign and redeploy our applications every year when the certificate expires. Unfortunately, there seem to be problems in the implementation, based on these two forum threads:
http://forums.sun.com/thread.jspa?threadID=744677
http://forums.sun.com/thread.jspa?threadID=5309004
I'm about to begin testing this, but I was wondering if anyone has successfully done this, without having to import the timestamping certificate on the client (which would defeat the whole purpose)?
The Thawte TSA root certificate was added to Sun's JRE cacerts file in 6u10 and 5.0u18.
Unfortunately, this feature appears to be completely worthless at this time. It is easy to add a timestamp when signing a jar file, just add this parameter to the jarsigner
command:
-tsa https://timestamp.geotrust.com/tsa
This is the URL to Thawte's timestamping server. Unfortunately, the Thawte timestamping CA cert is not included in the Java runtime's list of trusted CA certs, so it is effectively meaningless. That is, if you load the applet after the code signing certificate has expired, you get the "untrusted" warning dialog instead of the "trusted" one.
There is a "workaround", of sorts, posted here, but it works by embedding the Thawte timestamping CA cert in the applet itself, and running keytool
on the client to import the cert. I can't see how this would work though, since the user will already have seen the signed code dialog before this code can run.
I'll keep looking for a solution, but I'm not hopeful. I can't imagine why a usable timestamping CA cert has not been included with the Java runtime after all this time.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With