Let say I my application is running in a closed network. I want to verify a signed JAR that used the time stamping option but the certificate expired. What will happen?
Does the timestamp verification requires accessing to the timestamp server on the Internet?
I read about this post but it didn't cover this particular aspect. What happens when a code signing certificate expires?
The time stamp is an assertion that the code was signed at a particular time, that is digitally signed by the time stamp authority.
If the code-signing certificate was valid at that time, its signature is still valid, even after the code-signing certificate expires.
The time stamp will be checked against the current time, so it may be helpful if the machine's time is synchronized with the Network Time Protocol. But, you can choose to rely on a local clock.
In order to validate the various signing certificates, their revocation status should be checked. (I'm not sure if this is actually done.) This could use OCSP, but only if you explicitly configure it. By default, any revocation check would use a locally provided CRL.
So, communication with the time stamp authority is not necessary.
