X

Topics and trends related to the Java ecosystem with occasional random rants.

  • Sun
    March 8, 2016

Adding a Timestamp to a Signed Java RIA

James Connors
Principal Solutions Consultant

As the title suggests, the focus for this article revolves around adding timestamps to signed Java Rich Internet Applications.  The related subtopics are worth mentioning up front in case the reader is interested in jumping right to one of those areas:

 

  1. Example Signed (and Timestamped) RIAs
  2. What is Timestamping and Why Should I Care?
  3. How Can Code Be Signed and Timestamped?
  4. How Can you Verify That a Jar File Has Been Signed and Timestamped?
  5. How Can you Integrate Signing and Timestamping into a NetBeans Project?

Example Signed (and Timestamped) RIAs

If your interest lies solely in getting access to a signed and timestamped Java web application, here are two that can be run by clicking on the images below.  The SocketServerFX and SocketClientFX applications, when run simultaneously and connected, demonstrate how simple text can be sent and received over sockets. For those experimenting with Deployment Rule Sets, these two web applications could serve as test examples for use in managing RIA access.

 

What is Timestamping and Why Should I Care?

 

 

Applications signed with a trusted certificate come with an expiration date.  At expiration, the code signer has to re-issue the software package with with an updated certificate in order to maintain a valid trusted signature.  There are a whole host of reasons why re-signing may be impractical; the question becomes, is it possible to validate trusted signatures even after they have expired, thus prolonging their lifetime?  The answer is yes by including a timestamp verified by a Timestamp Authority.  With the timestamp, you're essentially proving that your code signing certificate was still valid at the time of signing.

 

How Can Code be Signed and Timestamped?

The jarsigner utility, found in the Java Development Kit, is the mechanism used to for signing Java applications.  A -tsa argument can be included on the command-line to specify a Timestamp Authority.  A sample invocation from a Windows system might look something like this:

> jarsigner -keystore code-sign.jks -tsa http://timestamp.comodoca.com \

SocketServerFX.jar "jim connors's comodo ca limited id"

Enter Passphrase for keystore:
jar signed.

As the code signing certificate referenced above comes from Comodo, one of many trusted certificate authorities, we use their Timestamp Authority to authorize the signature.

How Can You Verify That a Jar File Has Been Signed and Timestamped?

Perhaps not the most elegant solution, you can utilize additional command-line arguments provided for by the jarsigner utility (-verify -verbose -certs) and search for a timestamp that is formatted in a specific way, as demonstrated by the following sample invocation:

 

> jarsigner -verify -verbose -certs SocketServerFX.jar | findstr signed
      [entry was signed on 3/1/16 8:48 AM]
      [entry was signed on 3/1/16 8:48 AM]
      . . .
      [entry was signed on 3/1/16 8:48 AM]

If you see text of the form "[entry was signed on ...]", then you know the jar file has been signed and timestamped.  If the jar is not timestamped, no such output will appear.

How Can you Integrate Signing and Timestamping into a NetBeans Project?

Within the NetBeans IDE, if you'd like to sign and timestamp your application automatically as part of your build process, you can do so by making a few modifications to your NetBeans project.

1. Add the following properties onto your project's project.properties file:

# Properties for custom signjar
jnlp.signjar.alias=<your certificate alias>
jnlp.signjar.keystore=<keystore file containing certificate private key>

jnlp.signjar.storepass=<keystore passphrase>
jnlp.signjar.keypass=<private key passphrase>
jnlp.signing.tsaurl=<URL for TimeStamp Authority>


2. Add the following target to the project's build.xml file.
    This should be placed at the bottom of the file but before the </projects> directive.

<!-- Custom Code Timestamping using Ant's signjar instead of NetBeans -->
<target name="sign-jars" depends="-check-signing-possible">
        <echo message="Using custom code for signing and timestamping via build.xml..."/>
        <signjar
               alias="${jnlp.signjar.alias}"
               storepass="${jnlp.signjar.storepass}"
               keystore="${jnlp.signjar.keystore}"
               keypass="${jnlp.signjar.keypass}"
               tsaurl="${jnlp.signing.tsaurl}">
            <path>
                <fileset dir="dist" includes="*.jar" />
            </path>
        </signjar>
    </target>
By running the sign-jars ant target, your project's jar file will be signed and timestampped.
 
 

 

Join the discussion

Comments ( 2 )
  • Allyson DeRensis Tuesday, April 2, 2019
    Hello.

    I submitted a question earlier, but after messing around with the code I think that I made an error in writing the file path. I am sorry. I do still need help, however. I think it is working now but get the following error:
    Please type jarsigner -help for usage
    Only one alias can be specified
    C:UsersAllyDocumentsAllysonDeRensis-Java3010nbprojectjnlp-impl.xml:253: The following error occurred while executing this line:
    C:UsersAllyDocumentsAllysonDeRensis-Java3010build.xml:83: jarsigner returned: 1
    BUILD FAILED (total time: 4 seconds)

    I removed any other references to "alias" within build.xml and properties.properties. I also told NetBeans not to sign the program, as it automatically can sign it (without a timestamp) for web start.

    I did timestamp it earlier in the command prompt, but the timestamp was not showing up when I viewed the certificate online. So I am thinking that the program needs to be timestamped within NetBeans, as NetBeans builds the launch files?

    Thank you so much for any advice you are able to give.
  • Allyson DeRensis Thursday, April 4, 2019
    Got it! Thank you so much! You are my hero. I had to write it like this:
    #properties for custom signjar
    jnlp.signing.alias=**-***-***-***-***-***
    jnlp.signing.keystore=C:\Program Files\Java\jdk1.8.0_121\bin\theKeystoreFile
    jnlp.signing.storepass=***>
    jnlp.signing.keypass=***>
    jnlp.signing.tsaurl=http://timestamp.comodoca.com/rfc3161
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.