Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8180289

jarsigner treats timestamped signed jar invalid after the signer cert expires

    Details

    • Subcomponent:
    • Introduced In Version:
      9
    • Resolved In Build:
      b30
    • Verification:
      Verified

      Backports

        Description

        If a jar was signed some time ago with a timestamp when the signer cert was valid, it should be treated valid even after the signer cert expires. However, jarsigner shows a warning saying signer cert chain not validated.

        Jarsigner has always been doing the validity check itself and the timestamp is considered. On the other hand, it also performs a CertPath validation and this validation has never used the timestamp. Before JDK-8172529, when the validation throws a CertificateExpiredException or CertificateNotYetValidException, it is simply ignored because the validity is already checked. After JDK-8172529, the exceptions are only ignored when jarsigner's own validity check fails. The result is that when a timestamp exists and the signer cert has expired after the timestamp, jarsigner's own validity check succeeds, but the CertPath validation fails (since it has not used the timestamp) and the exception is now rethrown.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: