This content has been marked as final. Show 6 replies
Sorry this is not a direct answer to your question, but something similar exists for Microsoft Windows executables. In those, the time stamping authority signature is not a replacement for the CA, it is in addition to the CA. The TSA signature appears as a countersignature in the appropriate spot. I don't know how or if any of this maps onto the jarsigner facility but it might give you a few ideas.
The same process takes place when signing Java jar files with a TSA. The signature is first applied with the code signing certificate, and then signed again by the TSA to include the timestamp. The problem is that the browser based Java plugin seems to ignore this timestamp when deciding whether the applet code is a security threat. Documentation seems to indicate that as long as the certificate was valid when the code was signed (which is why I'm now using the timestamp) then the Java plugin won't spawn a security warning. However this does not seem to be the case, the security warning appears regardless of the timestamp. This means that our Java jar files must be upgraded every two years as the certificate expires - a huge undertaking.
So my question is, am I doing something wrong? Or is ignoring the timestamp the expected pluging behavior, and I need to revise my expectations?
Late reply, but it is only now that I discovered the answer.
The timestamp server certificate must be signed by one of JRE's trusted roots.
I don't know about older JRE's, but my JRE1.6.0_23 recognizes https://timestamp.geotrust.com/tsa.
Therefore, when signing, use this as your tsa.
The source of info is: http://www.thawte.com/resources/ssl-information-center/ssl-beyond-ecommerce/code-signing-faq/
The timestamp server certificate must be signed by one of JRE's trusted roots.Or else its certificate must be imported into the truststore you are using.
Ok, bad wording 'source'. I did what the link says and suddenly everything worked. So I went more in depth, looked at the trusted roots and realized why it did not work before and why it works now. I wanted to provide some reference for the solution rather than just saying 'use such and such server and it will work'.