-tsa or -tsacert timestamp for applet jar self-signed

java jar applet signed-applet

The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...

Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.

→ http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html

A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificates the CA issued. For example, the digicert tsa url can be access as follows:

jarsigner -tsa http://timestamp.digicert.com [.. other options]

→ http://www.digicert.com/code-signing/java-code-signing-guide.htm

Time stamping with self-signed certificate may be an elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)

Update:

URLs to try for timestamping self-signed certificates:

  • Symantec: -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp (per comment by brad-turek)

For a private network, one could consider an internal Timestamp Authority such as such as Thales (nCipher) Time Stamp Server (or historically OpenTSA)


This warning tells you that your jar's certificate will expire in may. Hence, users will not be able to execute your program after this date.

To improve the situation, the timestamp feature was added. This way, you can tell users: "I used the certificate at this point of time (which is provided and verified by the time stamp agency - tsa), when it was still valid!" As long as you do not change and resign your jar, it will still run, even after the certificate expires, because users see that at the point of creation the certificate was indeed valid.

For reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

tl;dr: if you ignore the warning, your jar won't run after 14-05-08. Add a timestamp, and it will still run as long as you don't modify anything.

Regards

Related

Java 8 Unsafe: xxxFence() instructions
How to use raw sql with ecto Repo
Typescript & operator
What is the difference queue:work and queue:listen
How to test an `npm publish` result, without actually publishing to NPM?
What are the performance impacts of 'functional' Rust?
Invoking a constructor in a 'with' statement
Insert row in table for each id in another table
Using Migration Assistant corrupted Time Capsule hard drive
How to use selected text in apple script? I want to add text before and after it
Can I in general upgrade to one of the latest MacOS but not the most latest one? [duplicate]
"An unknown error occurred" when signing into iMessage account with Apple ID on macOS