maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Chemit (JIRA)" <j...@codehaus.org>
Subject [jira] (MSHARED-299) Add support for -tsa during signing (Trusted Timestamping)
Date Fri, 08 Nov 2013 17:01:52 GMT
Tony Chemit created MSHARED-299:
-----------------------------------

             Summary: Add support for -tsa during signing (Trusted Timestamping)
                 Key: MSHARED-299
                 URL: https://jira.codehaus.org/browse/MSHARED-299
             Project: Maven Shared Components
          Issue Type: New Feature
          Components: maven-jarsigner
    Affects Versions: maven-jarsigner-1.0
            Reporter: Tony Chemit


Trusted Timestamping, introduced in Java 5 (2004), allows your customers to validate your
signature even after the certificate has expired. When you sign a JAR file, the Timestamp
Authority uses their clock to act as a notary and cryptographically write the date and time
into your file.
Without this timestamp, users would only be able to validate your signature based on their
current date and time. This could be problematic for long-running or embedded systems because
the standard X.509 Certificates contain a NotAfter date that typically ranges from one to
four years.

You interact with timestamp authorities when signing code with jarsigner’s
TSA argument:

jarsigner -tsa http://timestamp.verisign.com …

When your signed file provides a timestamp, Java is able to use that information within the
PKIXParameters and determine:
- Do I trust this timestamp authority to act as a notary?
- Is the signature date before the certificate’s time of expiration?
- Based on Certificate Revocation Lists, was this certificate valid on or before the signature
date?
- If the answer to all questions is yes, then the signature is deemed valid even if the certificate
has expired. Therefore, signed code on embedded devices will continue to operate beyond the
Certificate’s lifetime.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message