有人在java小程序中成功使用签名时间戳吗?
Java 1.5 添加了增强支持签名时间戳。 据我所知,这个想法是,只要文件在证书有效时进行签名,签名的 jar 文件就不应该仅仅因为代码签名证书已过期而变得无效。 从理论上讲,这意味着我们不必每年在证书过期时重新签名和重新部署我们的应用程序。 不幸的是,基于这两个论坛主题,实施中似乎存在问题:
http:// /forums.sun.com/thread.jspa?threadID=744677
http://forums.sun.com/thread.jspa?threadID=5309004
我正要开始测试这个,但我想知道是否有人成功地做到了这一点,无需在客户端上导入时间戳证书(这会破坏整个目的)?
Java 1.5 added an enhancement to support signature timestamps. The idea, as far as I can tell, is that signed jar files should not become invalid just because the code signing certificate has expired, as long as the files were signed while the certificate was valid. In theory, this means we do not have to re-sign and redeploy our applications every year when the certificate expires. Unfortunately, there seem to be problems in the implementation, based on these two forum threads:
http://forums.sun.com/thread.jspa?threadID=744677
http://forums.sun.com/thread.jspa?threadID=5309004
I'm about to begin testing this, but I was wondering if anyone has successfully done this, without having to import the timestamping certificate on the client (which would defeat the whole purpose)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Thawte TSA 根证书已添加到 6u10 和 5.0u18 中的 Sun JRE cacerts 文件中。
The Thawte TSA root certificate was added to Sun's JRE cacerts file in 6u10 and 5.0u18.
不幸的是,这个功能目前看来完全没有价值。 在签署 jar 文件时添加时间戳很容易,只需将此参数添加到 jarsigner 命令中即可:
这是 Thawte 时间戳服务器的 URL。 不幸的是,Thawte 时间戳 CA 证书未包含在 Java 运行时的受信任 CA 证书列表中,因此它实际上毫无意义。 也就是说,如果您在代码签名证书过期后加载小程序,您将看到“不受信任”警告对话框,而不是“受信任”警告对话框。
有一种“解决方法”,发布于此处,但它的工作原理是嵌入 Thawte在小程序本身中添加 CA 证书时间戳,并在客户端上运行
keytool来导入证书。 但我不知道这是如何工作的,因为在该代码运行之前用户已经看到了签名的代码对话框。我会继续寻找解决方案,但我不抱希望。 我无法想象为什么这么长时间之后 Java 运行时还没有包含可用的时间戳 CA 证书。
Unfortunately, this feature appears to be completely worthless at this time. It is easy to add a timestamp when signing a jar file, just add this parameter to the
jarsignercommand:This is the URL to Thawte's timestamping server. Unfortunately, the Thawte timestamping CA cert is not included in the Java runtime's list of trusted CA certs, so it is effectively meaningless. That is, if you load the applet after the code signing certificate has expired, you get the "untrusted" warning dialog instead of the "trusted" one.
There is a "workaround", of sorts, posted here, but it works by embedding the Thawte timestamping CA cert in the applet itself, and running
keytoolon the client to import the cert. I can't see how this would work though, since the user will already have seen the signed code dialog before this code can run.I'll keep looking for a solution, but I'm not hopeful. I can't imagine why a usable timestamping CA cert has not been included with the Java runtime after all this time.