-tsa or -tsacert timestamp for applet jar self-signed

java jar applet signed-applet
37,197

Solution 1

The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...

Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.

http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html

A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificates the CA issued. For example, the digicert tsa url can be access as follows:

jarsigner -tsa http://timestamp.digicert.com [.. other options]

http://www.digicert.com/code-signing/java-code-signing-guide.htm

Time stamping with self-signed certificate may be an elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)

Update:

URLs to try for timestamping self-signed certificates:

  • Symantec: -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp (per comment by brad-turek)

For a private network, one could consider an internal Timestamp Authority such as such as Thales (nCipher) Time Stamp Server (or historically OpenTSA)

Solution 2

This warning tells you that your jar's certificate will expire in may. Hence, users will not be able to execute your program after this date.

To improve the situation, the timestamp feature was added. This way, you can tell users: "I used the certificate at this point of time (which is provided and verified by the time stamp agency - tsa), when it was still valid!" As long as you do not change and resign your jar, it will still run, even after the certificate expires, because users see that at the point of creation the certificate was indeed valid.

For reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

tl;dr: if you ignore the warning, your jar won't run after 14-05-08. Add a timestamp, and it will still run as long as you don't modify anything.

Regards

Solution 3

I was facing the same problem. Without the timestamp the jar would not get signed.

When you add -tsa http://timestamp.digicert.com, it would not give any warning or error but still the jar would not be signed.

But then I added the following part and it worked for me.

-tsacert alias

So, basically my final command was

jarsigner -verbose -tsa http://timestamp.digicert.com -tsacert alias  -sigalg SHA256withRSA -digestalg SHA1 -keystore my-release-key.keystore android-release-unsigned.apk alias_name

Remember the alias_name in the command and the one in keystore should be the same.

Share:
37,197
Raja Peela
Author by

Raja Peela

Updated on July 20, 2020

Comments

  • Raja Peela
    Raja Peela almost 4 years

    When I was trying to self-sign in the jar like below.

    jarsigner -keystore my keystore myjar.jar myalias

    It gives warning like:

    No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2014-05-08) or after any future revocation date.

    Please help to resolve the problem.

  • Benoit Duffez
    Benoit Duffez almost 10 years
    Advising to use an older JDK is not a proper solution.
  • zzeroo
    zzeroo over 9 years
    The correct answer for op's question is: jarsigner -tsa http://timestamp.digicert.com -keystore my keystore myjar.jar myalias
  • Peter Kirschner
    Peter Kirschner almost 9 years
    This is no future safe solution and therefor should not be accepted as correct anwser. stackoverflow.com/a/24178906/2918516 is correct
  • Brad Turek
    Brad Turek almost 7 years
    Symantec has a TSA URL that will timestamp your self-signed app, -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp `
  • l --marc l
    l --marc l almost 7 years
    @brad-turek interesting. … perhaps Symantec supports more than their stated "Symantec Code Signing Certificates include an optional timestamp". I & others would be very happy to have a list of URLs that worked for external timestamping of sign certificates. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How should i edit manifest for jar?
Run normal Jar file in web page with the help of applet
Java class file not on classpath
Copy/Paste not working in a signed Applet
Java applet manifest - Allow all Caller-Allowable-Codebase
How to Combine Multiple Jars into One?
Exporting .jar Applet in Eclipse
How do I package up an applet with multiple .jar libraries?
Getting a directory inside a .jar
Java - Set width/height of JLabel