You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Tony Chemit (JIRA)" <ji...@codehaus.org> on 2013/11/08 18:01:52 UTC
[jira] (MSHARED-299) Add support for -tsa during signing (Trusted
Timestamping)
Tony Chemit created MSHARED-299:
-----------------------------------
Summary: Add support for -tsa during signing (Trusted Timestamping)
Key: MSHARED-299
URL: https://jira.codehaus.org/browse/MSHARED-299
Project: Maven Shared Components
Issue Type: New Feature
Components: maven-jarsigner
Affects Versions: maven-jarsigner-1.0
Reporter: Tony Chemit
Trusted Timestamping, introduced in Java 5 (2004), allows your customers to validate your signature even after the certificate has expired. When you sign a JAR file, the Timestamp Authority uses their clock to act as a notary and cryptographically write the date and time into your file.
Without this timestamp, users would only be able to validate your signature based on their current date and time. This could be problematic for long-running or embedded systems because the standard X.509 Certificates contain a NotAfter date that typically ranges from one to four years.
You interact with timestamp authorities when signing code with jarsignerââ¬â¢s TSA argument:
jarsigner -tsa http://timestamp.verisign.com ââ¬Â¦
When your signed file provides a timestamp, Java is able to use that information within the PKIXParameters and determine:
- Do I trust this timestamp authority to act as a notary?
- Is the signature date before the certificateââ¬â¢s time of expiration?
- Based on Certificate Revocation Lists, was this certificate valid on or before the signature date?
- If the answer to all questions is yes, then the signature is deemed valid even if the certificate has expired. Therefore, signed code on embedded devices will continue to operate beyond the Certificateââ¬â¢s lifetime.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira