JarSigner - What does happen after expiration

Question

If i create a keystore and sign a jar with this commands:

keytool -genkey -alias myalias -keyalg RSA -validity 365 -keystore keys/my.keystore

jarsigner -verbose -keystore keys/my.keystore -signedjar my_signed.jar my_unsigned.jar myalias

Then i would generate a certificate which is 365 days valid. What does happen to the jar file after 365 days? Is it still runnable? Can someone still get the signer of it when he uses "jarsigner verify"? How can the certificate be update?

Answer 1

The jarsigner tool has a option (-tsa url) according to http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

If you use the tsa option a signed timestamp is included to the signature of the jar. A lot of CAs that offer code signing certificates have such a timestamp server. When the signature of the jar is later verified the client checks if the certificate was still valid when the jar was signed. So the jar can be still verified even if the year has passed. You should use the time server of your CA since the signature of the timestamp can then be verified (the certificate chain is already included - since you singed the code with a certificate from that ca)