Prior to J2SE 5.0, the signature generated by
jarsigner contained no information about w hen the
signature was generated. With no other information available,
systems/deployers (including users of the Java Plug-in) often based
their validity assessment of a signed JAR file on the validity of
the signing certificate. When the signing certificate expires,
systems/deployers conclude that the signature, and hence, the JAR
file, has expired. Because signing certificates typically expire
annually, this caused customers significant problems by forcing
them to re-sign deployed JAR files annually.
Starting in J2SE 5.0,
jarsigner can generate
signatures that include a timestamp, thus enabling systems/deployer
(including Java Plug-in) to check whether the JAR file was signed
while the signing certificate was still valid. In addition, APIs
were added in J2SE 5.0 to allow applications to obtain the
The following time-of-signing enhancements and additions are supported in version 5.0 of the Java 2 platform:
jarsignertool can now generate and store a signature timestamp when signing a JAR file. In addition,
jarsignersupports alternative signing mechanisms. This behavior is optional and is controlled by the user at the time of signing through the options described below.
jarsignertool to support signature timestamps:
"-tsa http://example.tsa.url"appears on the command line when signing a JAR file then a timestamp is generated for the signature. The URL,
http://example.tsa.url, identifies the location of the Time Stamping Authority (TSA). It overrides any URL found via the
-tsaoption does not require the TSA's public key certificate to be present in the keystore.
To generate the timestamp,
jarsignercommunicates with the TSA using the Time-Stamp Protocol (TSP) defined in RFC 3161. If successful, the timestamp token returned by the TSA is stored along with the signature in the signature block file.
"-tsacert alias"appears on the command line when signing a JAR file then a timestamp is generated for the signature. The
aliasidentifies the TSA's public key certificate in the keystore that is currently in effect. The entry's certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA.
The TSA's public key certificate must be present in the keystore when using
Specifies that an alternative signing mechanism be used. The fully-qualified class name identifies a class file that extends the
com.sun.jarsigner.ContentSigner abstract class. The path to this class file is defined by the
-altsignerpathoption. If the
-altsigneroption is used,
jarsigneruses the signing mechanism provided by the specified class. Otherwise,
jarsigneruses its default signing mechanism.
For example, to use the signing mechanism provided by a class named
com.sun.sun.jarsigner.AuthSigner, use the
Specifies the path to the class file (the class file name is specified with the
-altsigneroption described above) and any JAR files it depends on. If the class file is in a JAR file, then this specifies the path to that JAR file, as shown in the example below.
An absolute path or a path relative to the current directory may be specified. If
classpathlistcontains multiple paths or JAR files, they should be separated with a colon (
:) on Solaris and a semi-colon (
;) on Windows. This option is not necessary if the class is already in the search path.
Example of specifying the path to a jar file that contains the class file:
Note that the JAR file name is included.
Example of specifying the path to the jar file that contains the class file:
Note that the JAR file name is omitted.
The TSA's certificate must be available from the Plug-in's keystore or certificate stores when the Plug-in is validating a JAR file containing a signature timestamp.
The Plugin reverts to 1.4.x behavior if the signature does not contain a timestamp.
Two new classes were added to the java.security package. These classes are CodeSigner, which maintains information associated with a signer, and Timestamp, which represents information associated with a signature timestamp.
Copyright © 1993, 2011, Oracle and/or its affiliates. All rights reserved.