Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8180289

jarsigner treats timestamped signed jar invalid after the signer cert expires

XMLWordPrintable

    • 9
    • b30
    • Verified

        If a jar was signed some time ago with a timestamp when the signer cert was valid, it should be treated valid even after the signer cert expires. However, jarsigner shows a warning saying signer cert chain not validated.

        Jarsigner has always been doing the validity check itself and the timestamp is considered. On the other hand, it also performs a CertPath validation and this validation has never used the timestamp. Before JDK-8172529, when the validation throws a CertificateExpiredException or CertificateNotYetValidException, it is simply ignored because the validity is already checked. After JDK-8172529, the exceptions are only ignored when jarsigner's own validity check fails. The result is that when a timestamp exists and the signer cert has expired after the timestamp, jarsigner's own validity check succeeds, but the CertPath validation fails (since it has not used the timestamp) and the exception is now rethrown.

          1.
          		 Release Note: jarsigner treats timestamped signed jar invalid after the signer cert expires Sub-task Closed Weijun Wang  
          2.
          		 doc change for JDK-8180289 on tsaChainNotValidated Sub-task Resolved Clifford Wayne (Inactive) 2018-02-02

              weijun Weijun Wang
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: