What happens if the certificate of a signed jar (with timestamp) expires

Question

I signed a jar (of an applet) with timestamp 2 years ago. The cert is about to expire. What will happen? Will there be a warning to the user, will it simply work? Will it stop working?

I didn't add any specific code to the applet to deal with the timestamp. I only included the -tsa url when signing.

Edit: it keeps working.

Answer 1

Prior to Java 5 SE, signed jar's whose signing certificate had expired would no longer be valid or usable.

With Java 5 SE and greater, signed jar's whose signing certificate expires will continue to work. The expired certificate, however, can not be used to sign any further jar's.

From Oracle's docs:

Prior to J2SE 5.0, the signature generated by jarsigner contained no information about w hen the signature was generated. With no other information available, systems/deployers (including users of the Java Plug-in) often based their validity assessment of a signed JAR file on the validity of the signing certificate. When the signing certificate expires, systems/deployers conclude that the signature, and hence, the JAR file, has expired. Because signing certificates typically expire annually, this caused customers significant problems by forcing them to re-sign deployed JAR files annually.

Starting in J2SE 5.0, jarsigner can generate signatures that include a timestamp, thus enabling systems/deployer (including Java Plug-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs were added in J2SE 5.0 to allow applications to obtain the timestamp information.