Time stamping a jar

Question

I had following qustions about timestamping a jar: (exe timestamping is working fine)

1. Do we have to "purchase" anything for timestamping , similar to code signing certificate?
2. Is it mandatory to timestamp the exe/jar from the same TSA , with which it is signed? We have purchased a code signing certificate from GoDaddy. The "http://support.godaddy.com/help/article/4833/about-code-signing-certificates" link of GoDaddy says:

Is there a limit to the amount of time stamp requests allowed for a Code Signing certificate? No. Unlike some of our competitors, we do not limit the number of time stamp requests which can be issued by a single Code Signing certificate.

From above statement, I understand tha the timestamp can be done, if you have code signing certificate purchased.

using command: jarsigner -keystore mykeys -sigfile SIG -signedjar SignedApp.jar -tsacert testalias app.jar johndoe

where testalias is the TSA's public key certificate.

Where can I get GoDaddy's TSA public key certificate ?

If I use below command to timestamp

jarsigner -verbose -keystore C:\a.pfx -storepass <password> -storetype pkcs12 C:\abc.jar -tsa http://tsa.starfieldtech.com <pfx certificate alias>

I get the following error:

jarsigner: Certificate chain not found for: -tsa. -tsa must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

3. Apart from How to validate if a signed jar contains a timestamp?, is there any easier way to check the timestamp of a jar

Answer 1

1. No, you don't have to purchase anything else. Your certificate is enough.
2. It is desirable to timestamp your jars, because otherwise they will expire when your certificate expire.

It looks like you permuted the options for jarsigner. Try this order:

jarsigner -verbose -keystore C:\a.pfx -storepass <password> -storetype pkcs12 -tsa http://tsa.starfieldtech.com C:\abc.jar "<pfx certificate alias>"