This is new domain for me so not entirely sure how to interpret the available information.
Research yields the following relevant posts:
Version 1.50 + WebStart: signature not verified
However, still not sure if this is noise or if I am lacking configuration in my JVM or JDK environment.
Do I conclude that these files are valid and safe to use?
What do I need to do to eliminate the warning messages?
My question is how do I interpret the following messages that are generated by this command:
jarsigner -verify -verbose -certs bcmail-jdk15on-157.jar
Generates the following output:
s 11224 Thu May 11 17:31:18 EDT 2017 META-INF/MANIFEST.MF
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
[certificate is valid from 3/10/17 8:15 PM to 4/25/20 3:00 AM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
[certificate is valid from 4/25/01 3:00 AM to 4/25/20 3:00 AM]
[CertPath not validated: Path does not chain with any of the trust anchors]
[entry was signed on 5/11/17 3:31 AM]
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
[CertPath not validated: Path does not chain with any of the trust anchors]
8546 Thu May 11 17:31:20 EDT 2017 META-INF/BC1024KE.SF
2221 Thu May 11 17:31:20 EDT 2017 META-INF/BC1024KE.DSA
8546 Thu May 11 17:31:18 EDT 2017 META-INF/BC2048KE.SF
6365 Thu May 11 17:31:18 EDT 2017 META-INF/BC2048KE.DSA
0 Thu May 11 17:30:54 EDT 2017 org/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/smime/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/smime/examples/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/smime/handlers/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/smime/util/
0 Thu May 11 17:30:54 EDT 2017 org/bouncycastle/mail/smime/validator/
sm 715 Thu May 11 17:27:56 EDT 2017 org/bouncycastle/mail/smime/CMSProcessableBodyPart.class
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
[certificate is valid from 3/10/17 8:15 PM to 4/25/20 3:00 AM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
[certificate is valid from 4/25/01 3:00 AM to 4/25/20 3:00 AM]
[CertPath not validated: Path does not chain with any of the trust anchors]
[entry was signed on 5/11/17 3:31 AM]
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
[CertPath not validated: Path does not chain with any of the trust anchors]
.
.
.
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2020-04-25) or after any future revocation date.
