Tony Chemit created MSHARED-299:
-----------------------------------
Summary: Add support for -tsa during signing (Trusted Timestamping)
Key: MSHARED-299
URL: https://jira.codehaus.org/browse/MSHARED-299
Project: Maven Shared Components
Issue Type: New Feature
Components: maven-jarsigner
Affects Versions: maven-jarsigner-1.0
Reporter: Tony Chemit
Trusted Timestamping, introduced in Java 5 (2004), allows your customers to
validate your signature even after the certificate has expired. When you sign a
JAR file, the Timestamp Authority uses their clock to act as a notary and
cryptographically write the date and time into your file.
Without this timestamp, users would only be able to validate your signature
based on their current date and time. This could be problematic for
long-running or embedded systems because the standard X.509 Certificates
contain a NotAfter date that typically ranges from one to four years.
You interact with timestamp authorities when signing code with
jarsignerââ¬â¢s TSA argument:
jarsigner -tsa http://timestamp.verisign.com ââ¬Â¦
When your signed file provides a timestamp, Java is able to use that
information within the PKIXParameters and determine:
- Do I trust this timestamp authority to act as a notary?
- Is the signature date before the certificateââ¬â¢s time of expiration?
- Based on Certificate Revocation Lists, was this certificate valid on or
before the signature date?
- If the answer to all questions is yes, then the signature is deemed valid
even if the certificate has expired. Therefore, signed code on embedded devices
will continue to operate beyond the Certificateââ¬â¢s lifetime.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
