Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8180289

jarsigner treats timestamped signed jar invalid after the signer cert expires

    XMLWordPrintable

Details

    • 9
    • b30
    • Verified

    Backports

      Description

        If a jar was signed some time ago with a timestamp when the signer cert was valid, it should be treated valid even after the signer cert expires. However, jarsigner shows a warning saying signer cert chain not validated.

        Jarsigner has always been doing the validity check itself and the timestamp is considered. On the other hand, it also performs a CertPath validation and this validation has never used the timestamp. Before JDK-8172529, when the validation throws a CertificateExpiredException or CertificateNotYetValidException, it is simply ignored because the validity is already checked. After JDK-8172529, the exceptions are only ignored when jarsigner's own validity check fails. The result is that when a timestamp exists and the signer cert has expired after the timestamp, jarsigner's own validity check succeeds, but the CertPath validation fails (since it has not used the timestamp) and the exception is now rethrown.

        Attachments

          Issue Links

            Activity

              People

                weijun Weijun Wang
                weijun Weijun Wang
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: