Java Security Topics

  • Java
    December 3, 2013

How to determine if a signed JAR is timestamped

Applying a timestamp when you sign a JAR is strongly recommended, as it allows you to prove that you signed the JAR during the time interval that your code signing certificate was still valid. This allows your JAR to be validated after the certificate expires thereby prolonging the lifetime of your application. There's really no good reason you should not apply a timestamp, and we are encouraging all developers to do that as we introduce stricter applet/RIA restrictions in JDK 7u51.

To sign a JAR with a timestamp, use the -tsa option of the jarsigner utility, as follows:

    jarsigner -tsa http://example.tsa.url jar alias

where "http://example.tsa.url"  is an example of a URL of the Time Stamp Authority (TSA). Do an internet search for "timestamp server URL" to find TSA servers that you can use.

You can use the jarsigner utility to determine if a signed JAR has been timestamped as follows:

    jarsigner -verify -verbose -certs signed.jar

where signed.jar is the name of your signed JAR. If it is timestamped, the output will include lines of the following indicating the time it was signed:

    [entry was signed on 8/2/13 3:48 PM]

If the JAR is not timestamped, the output will not include those lines. Currently, the -certs option only prints the contents of the code signer's certificate chain, and not the Time Stamp Authority's (TSA) chain. However, there is an open RFE to add that functionality.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.