On 02/29/2012 11:32 PM, Xuelei Fan wrote:
So far, I only have a very minor comment:
The block from line 875 to 880 is a little overlapped with lines 884 to
889. Is it possible to improve the code?
A flag added:
http://cr.openjdk.java.net/~weijun/7149012/webrev.01/
I'm not sure whether it is better to not-show the warning for
timestamped signatures with expired certificates. Need more time to
In this case, jarsigner would show
[entry was signed on 10/24/03 4:18 PM]
[certificate is valid from 10/24/03 5:29 AM to 10/25/03 5:29 AM]
if -verbose -certs is specified, please note the *was* word. It just
does not print a warning. Except for the "Will Expire in 6 Months" one,
most warnings will be actual errors when loaded in Java Plug-in.
understand the scenarios of time-stamping in JarSigner. Does the
validity of TSA certificate is also checked?
Yes, during the verification of the jar file, its info is included in
the CodeSigner class.
Thanks
Max
Xuelei
On 2/27/2012 3:00 PM, Weijun Wang wrote:
Hi All
Please take a look at this code change:
http://cr.openjdk.java.net/~weijun/7149012/webrev.00/
Jarsigner will not print a warning if the signer cert is expired but a
timestamp shows the jar was signed before the expiration date.
Another change is that the chainNotValidated flag now does not cover
hasExpiredCert and notYetValidCert anymore. The result is that when
trying to sign (or verify) with an expired cert, instead of the
duplicated and somewhat confusing
The signer certificate has expired.
The signer's certificate chain is not validated.
warnings, user will only see
The signer certificate has expired.
User will still see the chainNotValidated warning if the CertPath is not
validated because of other reasons.
On the other hand, since these 3 flags share the same exit code (4),
users will not notice the exit code change when -strict is on.
There is no regression test added to the openjdk repository because it's
not easy to generate a timestamp with an old date. I have found an old
signed jar with a timestamp and signed by a now-expired cert. I will
include these binary files into the jdk/test/closed repository and the
test is a simple "jarsigner -verify -strict" call.
Thanks
Max
-------- Original Message --------
*Change Request ID*: 7149012
*Synopsis*: jarsigner needs not warn about cert expiration if the jar
has a TSA timestamp
=== *Description*
============================================================
If the cert used to sign a jar is expired, jarsigner will print out a
warning, and if -strict is specified, exits with an error. However, if
there is a TSA timestamp attached to the jar (and the timestamp is shown
to be before the expiration), it's completely valid and jarsigner should
not report any warning or error.
