8

If i create a keystore and sign a jar with this commands:

keytool -genkey -alias myalias -keyalg RSA -validity 365 -keystore keys/my.keystore

jarsigner -verbose -keystore keys/my.keystore -signedjar my_signed.jar my_unsigned.jar myalias

Then i would generate a certificate which is 365 days valid. What does happen to the jar file after 365 days? Is it still runnable? Can someone still get the signer of it when he uses "jarsigner verify"? How can the certificate be update?

Che Veyo
  • 375
  • 3
  • 14
  • 1
    Good question, quick suggestion create a certificate with a very short validity period and try it out. I'd be interested to see the answer too :) – Paul Whelan Jul 27 '15 at 11:24
  • I found the following question and answer that suggest its depends, http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates – Paul Whelan Jul 27 '15 at 11:26
  • Yes i thought about that too, but i have to sign it today :) – Che Veyo Jul 27 '15 at 11:26
  • What about: http://stackoverflow.com/q/21695520/4815184. Malte's answer is nice and clear. – Sjoerd Pottuit Jan 06 '16 at 10:43

1 Answers1

5

The jarsigner tool has a option (-tsa url) according to http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

If you use the tsa option a signed timestamp is included to the signature of the jar. A lot of CAs that offer code signing certificates have such a timestamp server. When the signature of the jar is later verified the client checks if the certificate was still valid when the jar was signed. So the jar can be still verified even if the year has passed. You should use the time server of your CA since the signature of the timestamp can then be verified (the certificate chain is already included - since you singed the code with a certificate from that ca)

David Feurle
  • 2,687
  • 22
  • 38