Jarsigner with Timestamping Behind a Firewall

We've supported timestamping in jarsigner for a long time. By providing a -tsa option to the command when signing a jar file, a timestamping block will be added to the signed jar. This makes an application to be accepted by Java Plugin in a future time when the signer's certificate already expires.

In a lot of enterprise environments, you need to go through a firewall to access the Internet, here, the TSA (Time Stamping Authority). We've noticed this some time ago. Therefore, when a connection to the TSA is not available, jarsigner would print out a message like this:

jarsigner: unable to sign jar: no response from the Timestamping Authority. When connecting from behind a firewall then an HTTP proxy may need to be specified. Supply the following options to jarsigner:
  -J-Dhttp.proxyHost=<hostname>
  -J-Dhttp.proxyPort=<portnumber>
We thought this is very helpful, but there are still some customer feedbacks saying it does not work. It turns out that when a TSA server provides its service through an HTTPS website, in order to specify the proxy setting, you should use another pair of system property names:
  -J-Dhttps.proxyHost=<hostname>
  -J-Dhttps.proxyPort=<portnumber>
Detailed of proxy support in Java can be found here.

In order for people using other languages to reach this page, here are the same messages in Simplified Chinese and Japanese:

jarsigner: 无法对 jar 进行签名: 时间戳颁发机构没有响应。 如果要从防火墙后面连接, 则可能需要指定 HTTP 代理。请为 jarsigner 提供以下选项:
and
jarsigner: jarに署名できません: タイムスタンプ局からのレスポンスがありません。 ファイアウォールを介して接続するときは、必要に応じてHTTPプロキシを指定してください。 jarsignerに次のオプションを指定してください:
(Best wishes for people in Japan. Hope this earthquake/tsunami/nuclear crisis can be over soon.)
Comments:

> Detailed of proxy support in Java can be found here.

This link is defunct. What options do i have to use to provide username and password to the proxy?

Posted by guest on October 28, 2011 at 02:13 PM CST #

Updated.

Posted by Author on May 10, 2012 at 12:17 PM CST #

What about supply credentials for proxy servers requiring authentication? I tried -Dhttps.proxyUser=username -Dhttps.proxyPassword=password and jarsigner fails with "unable to sign jar: java.net.ConnectException: Connection refused"

Posted by Justin on November 06, 2015 at 01:59 AM CST #

Does this help?

http://stackoverflow.com/questions/1626549/authenticated-http-proxy-with-java

Posted by Author on November 07, 2015 at 04:39 PM CST #

No, that tells how to write code that authenticates. I want to use the jarsigner executable with a proxy that requires authentication. It seem that Java itself doesn't have a standard pair of system properties for username and password like there are for the host and port.

Posted by Justin on November 07, 2015 at 10:56 PM CST #

Seems so. I don't have a better solution either.

Posted by Author on November 07, 2015 at 11:29 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« June 2016
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today