Wednesday, March 23, 2011

Has anyone successfully used signature timestamps in a java applet?

Java 1.5 added an enhancement to support signature timestamps. The idea, as far as I can tell, is that signed jar files should not become invalid just because the code signing certificate has expired, as long as the files were signed while the certificate was valid. In theory, this means we do not have to re-sign and redeploy our applications every year when the certificate expires. Unfortunately, there seem to be problems in the implementation, based on these two forum threads:

I'm about to begin testing this, but I was wondering if anyone has successfully done this, without having to import the timestamping certificate on the client (which would defeat the whole purpose)?

From stackoverflow
  • Unfortunately, this feature appears to be completely worthless at this time. It is easy to add a timestamp when signing a jar file, just add this parameter to the jarsigner command:


    This is the URL to Thawte's timestamping server. Unfortunately, the Thawte timestamping CA cert is not included in the Java runtime's list of trusted CA certs, so it is effectively meaningless. That is, if you load the applet after the code signing certificate has expired, you get the "untrusted" warning dialog instead of the "trusted" one.

    There is a "workaround", of sorts, posted here, but it works by embedding the Thawte timestamping CA cert in the applet itself, and running keytool on the client to import the cert. I can't see how this would work though, since the user will already have seen the signed code dialog before this code can run.

    I'll keep looking for a solution, but I'm not hopeful. I can't imagine why a usable timestamping CA cert has not been included with the Java runtime after all this time.

    Gili : Jason, You should file a RFE in BugParade, similar to Sun won't fix this unless you do this.
  • The Thawte TSA root certificate was added to Sun's JRE cacerts file in 6u10 and 5.0u18.


Post a Comment