-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
None
-
7, 8, 9
-
x86
-
windows_7
FULL PRODUCT VERSION :
java version "1.7.0_06"
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)
Java HotSpot(TM) 64-Bit Server VM (build 23.2-b09, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]
A DESCRIPTION OF THE PROBLEM :
Given a Java application that has been signed with a certificate that was valid at the time of signing, and timestamped with a tsa: (https://timestamp.geotrust.com/tsa).
That application starts (webstart) without a warning with any JRE 1.6, and 1.7u0 and 1.7u1.
However, starting it with 1.7u2 or later (up to 1.7u6), a security warning pops up, saying that the certificate has expired. Without mentioning that the certificate was valid at the time of signing.
REGRESSION. Last worked in version 7
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Take an old .jar file that has been signed with a certificate that was valid at that time, but not anymore.
Make sure that signature was timestamped correctly.
start that jarfile with jnlp, and you will get the warning.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No warning about the signature being expired, since it was valid at the time of signing.
ACTUAL -
A Security information dialog pops up with a big yellow warning sign, saying that the application's digital signature has expired.
Since it's displayed as a warning, it's suggesting that the user shouldn't start it. Which implies that all valid, signed applications will become 'hazardous' over time when the signature expires.
What's the use of timestamping when you'll get a warning anyway when the certificate expires?
ERROR MESSAGES/STACK TRACES THAT OCCUR :
The application's digital signature has expired
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
If you know one, please let me know.
java version "1.7.0_06"
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)
Java HotSpot(TM) 64-Bit Server VM (build 23.2-b09, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]
A DESCRIPTION OF THE PROBLEM :
Given a Java application that has been signed with a certificate that was valid at the time of signing, and timestamped with a tsa: (https://timestamp.geotrust.com/tsa).
That application starts (webstart) without a warning with any JRE 1.6, and 1.7u0 and 1.7u1.
However, starting it with 1.7u2 or later (up to 1.7u6), a security warning pops up, saying that the certificate has expired. Without mentioning that the certificate was valid at the time of signing.
REGRESSION. Last worked in version 7
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Take an old .jar file that has been signed with a certificate that was valid at that time, but not anymore.
Make sure that signature was timestamped correctly.
start that jarfile with jnlp, and you will get the warning.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No warning about the signature being expired, since it was valid at the time of signing.
ACTUAL -
A Security information dialog pops up with a big yellow warning sign, saying that the application's digital signature has expired.
Since it's displayed as a warning, it's suggesting that the user shouldn't start it. Which implies that all valid, signed applications will become 'hazardous' over time when the signature expires.
What's the use of timestamping when you'll get a warning anyway when the certificate expires?
ERROR MESSAGES/STACK TRACES THAT OCCUR :
The application's digital signature has expired
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
If you know one, please let me know.
- duplicates
-
-
- Closed
-