-tsa or -tsacert timestamp for applet jar self-signed

流过昼夜 提交于 2019-12-17 15:36:19

问题


When I was trying to self-sign in the jar like below.

jarsigner -keystore my keystore myjar.jar myalias

It gives warning like:

No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2014-05-08) or after any future revocation date.

Please help to resolve the problem.


回答1:


The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...

Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.

→ http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html

A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificates the CA issued. For example, the digicert tsa url can be access as follows:

jarsigner -tsa http://timestamp.digicert.com [.. other options]

→ http://www.digicert.com/code-signing/java-code-signing-guide.htm

Time stamping with self-signed certificate may be an elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)

Update:

URLs to try for timestamping self-signed certificates:

  • Symantec: -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp (per comment by brad-turek)

For a private network, one could consider an internal Timestamp Authority such as such as Thales (nCipher) Time Stamp Server (or historically OpenTSA)




回答2:


This warning tells you that your jar's certificate will expire in may. Hence, users will not be able to execute your program after this date.

To improve the situation, the timestamp feature was added. This way, you can tell users: "I used the certificate at this point of time (which is provided and verified by the time stamp agency - tsa), when it was still valid!" As long as you do not change and resign your jar, it will still run, even after the certificate expires, because users see that at the point of creation the certificate was indeed valid.

For reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

tl;dr: if you ignore the warning, your jar won't run after 14-05-08. Add a timestamp, and it will still run as long as you don't modify anything.

Regards




回答3:


I was facing the same problem. Without the timestamp the jar would not get signed.

When you add -tsa http://timestamp.digicert.com, it would not give any warning or error but still the jar would not be signed.

But then I added the following part and it worked for me.

-tsacert alias

So, basically my final command was

jarsigner -verbose -tsa http://timestamp.digicert.com -tsacert alias  -sigalg SHA256withRSA -digestalg SHA1 -keystore my-release-key.keystore android-release-unsigned.apk alias_name

Remember the alias_name in the command and the one in keystore should be the same.




回答4:


This error is caused if updates were made with JDK Java/Oracle 1.7 u51. This JDK is NOT identical to the previous one.

You can install a previous version of the JDK BEFORE u51 (for exemple 1.7u45), or install JDK 6.

Then, when you re-compile, you won't see the error.



来源:https://stackoverflow.com/questions/21695520/tsa-or-tsacert-timestamp-for-applet-jar-self-signed

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!