Tuesday Mar 08, 2016

Adding a Timestamp to a Signed Java RIA

As the title suggests, the focus for this article revolves around adding timestamps to signed Java Rich Internet Applications.  The related subtopics are worth mentioning up front in case the reader is interested in jumping right to one of those areas:

  1. Example Signed (and Timestamped) RIAs
  2. What is Timestamping and Why Should I Care?
  3. How Can Code Be Signed and Timestamped?
  4. How Can you Verify That a Jar File Has Been Signed?
  5. How Can you Integrate Signing and Timestamping into a NetBeans Project?

Example Signed (and Timestamped) RIAs

If your interest lies solely in getting access to a signed and timestamped Java web application, here are two that can be run by clicking on the images below.  The SocketServerFX and SocketClientFX applications, when run simultaneously and connected, demonstrate how simple text can be sent and received over sockets. For those experimenting with Deployment Rule Sets, these two web applications could serve as test examples for use in managing RIA access.

What is Timestamping and Why Should I Care?

Applications signed with a trusted certificate come with an expiration date.  At expiration, the code signer has to re-issue the software package with with an updated certificate in order to maintain a valid trusted signature.  There are a whole host of reasons why re-signing may be impractical; the question becomes, is it possible to validate trusted signatures even after they have expired, thus prolonging their lifetime?  The answer is yes by including a timestamp verified by a Timestamp Authority.  With the timestamp, you're essentially proving that your code signing certificate was still valid at the time of signing.

How Can Code be Signed and Timestamped?

The jarsigner utility, found in the Java Development Kit, is the mechanism used to for signing Java applications.  A -tsa argument can be included on the command-line to specify a Timestamp Authority.  A sample invocation from a Windows system might look something like this:

> jarsigner -keystore code-sign.jks -tsa http://timestamp.comodoca.com \
SocketServerFX.jar "jim connors's comodo ca limited id"

Enter Passphrase for keystore:
jar signed.

As the code signing certificate referenced above comes from Comodo, one of many trusted certificate authorities, we use their Timestamp Authority to authorize the signature.

How Can You Verify That a Jar File Has Been Signed?

Perhaps not the most elegant solution, you can utilize additional command-line arguments provided for by the jarsigner utility (-verify -verbose -certs) and search for a timestamp that is formatted in a specific way, as demonstrated by the following sample invocation:

> jarsigner -verify -verbose -certs SocketServerFX.jar | findstr signed
      [entry was signed on 3/1/16 8:48 AM]
      [entry was signed on 3/1/16 8:48 AM]
      . . .
      [entry was signed on 3/1/16 8:48 AM]

If you see text of the form "[entry was signed on ...]", then you know the jar file has been signed and timestamped.  If the jar is not timestamped, no such output will appear.

How Can you Integrate Signing and Timestamping into a NetBeans Project?

Within the NetBeans IDE, if you'd like to sign and timestamp your application automatically as part of your build process, you can do so by making a few modifications to your NetBeans project.

1. Add the following properties onto your project's project.properties file:

# Properties for custom signjar
jnlp.signjar.alias=<your certificate alias>
jnlp.signjar.keystore=<keystore file containing certificate private key>
jnlp.signjar.keypass=<keystore passphrase>
jnlp.signing.tsaurl=<URL for TimeStamp Authority>

2. Add the following target to the project's build.xml file.
    This should be placed at the bottom of the file but before the </projects> directive.

<!-- Custom Code Timestamping using Ant's signjar instead of NetBeans -->
<target name="sign-jars" depends="-check-signing-possible">
        <echo message="Using custom code for signing and timestamping via build.xml..."/>
                <fileset dir="dist" includes="*.jar" />

By running the sign-jars ant target, your project's jar file will be signed and timestampped.

Thursday Dec 04, 2008

Why JavaFX is Relevant

This week marks the formal release of JavaFX 1.0.  During the interval between the early marketing blitz and now, we've heard a lot from our friends in the press and the blogosphere, and in many instances what they had to say was not very pretty.  Some think the Rich Internet Application platform battle lines are already drawn between Adobe and Microsoft, and dismiss Sun as having arrived too late to the party.  Others opine that JavaFX's underlying Java platform is so yesterday.  In fact Java is the primary reason why JavaFX will, much to the chagrin of many, receive serious consideration.  Here's why:

  • Java is ubiquitous.  It is the proven, de-facto platform for web-based deployment.  On the desktop, it is estimated that approximately 90% of PCs have Java installed. In fact the major PC OEMs have seen fit to install it for you out of the box.  In the mobile world, Java is the dominant deployment platform.  Billions (that's with a 'b') of devices run Java.
  • The Java development community is arguably the largest on the planet.  Java gained initial widespread acclaim as a productive development environment, and continues to do so.  As JavaFX is an evolution of Java and seamlessly integrates with it, human nature tells us that individuals will naturally want to work with and leverage that which they already know and are familiar with.
  • Alternatives are still no match for the Java Virtual Machine.  It has been extensively studied, vetted, scrutinized, poked, prodded, abused, cloned, and optimized more than any other virtual machine in the history of computing. And just in case you're under the impression that the Java Virtual Machine is limited only to the Java (and now JavaFX script) programming languages, think again.  At last count there were over 200 projects integrating modern dynamic languages to the Java VM.  That list includes the usual suspects like PHP, Ruby, JavaScript, Python, and [insert your favorite language here].
  • The amount of Java Standard Edition online updates is staggering.  We know.  We supply the downloads.  And once a desktop is upgraded, it will be able to take full advantage of the features JavaFX brings to the table, effectively trivializing the barriers to entry.
Many of our most talented folks have been working feverishly to reach this milestone.  That being said, there's still lot's more work to do.  But we're off to a real nice start.  Check out http://javafx.com.  Hmm.  looks like the site is a little sluggish right now.  Maybe we underestimated all the interest?


Jim Connors-Oracle


« May 2016