Bug 1293

Summary: JAR signing certificate expired
Product: [JogAmp] General Reporter: Alexander Wittig <alexander>
Component: infrastructureAssignee: Sven Gothel <sgothel>
Status: RESOLVED WONTFIX    
Severity: normal CC: gouessej, johan
Priority: P4    
Version: 2.4.0   
Hardware: All   
OS: all   
Type: DEFECT SCM Refs:
Workaround: ---

Description Alexander Wittig 2016-02-25 22:25:27 CET 
The certificate used to sign the JAR files served for WebStart enabled applications are signed with a certificate that expired on 2/15/2016. Thus no WebStart applications relying on the jar files served from http://jogamp.org/deployment/jogamp-current/ can run any more because (at least) recent versions of Java refuse to run code signed with expired certificates.

To fix this problem, all jar files hosted on jogamp.org need to be resigned with a valid certificate. To avoid this problem from occurring in the future, it may be a good idea to also use a timestamp server when signing. This way, the certificate must only be valid at the time of signing and the jar does not expire when the certificate does. This can be achieved by adding a -tsa switch to the jarsigner command such as:
jarsigner -tsa http://timestamp.digicert.com -storepass XXX -keystore codesigning.keystore jogl.jar ...

Last time I used this, no business relation with digicert was needed (i.e. no certificate from them) to use their timestamping service as shown above.
Comment 1 Alexander Wittig 2016-02-25 22:28:15 CET 
For reference, here the output of
jarsigner -verbose -certs -verify jogl-all-natives-macosx-universal.jar
(selected randomly, applies to all jars):

s       1415 Sat Oct 10 05:09:22 CEST 2015 META-INF/MANIFEST.MF

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

         797 Sat Oct 10 05:09:22 CEST 2015 META-INF/JOGAMP04.SF
        3779 Sat Oct 10 05:09:22 CEST 2015 META-INF/JOGAMP04.RSA
sm       159 Sat Oct 10 03:13:50 CEST 2015 jogamp/nativetag/opengl/macosx/universal/TAG.class

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    1740756 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libjogl_desktop.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    852328 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libjogl_mobile.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm     29808 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnativewindow_awt.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm     87988 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnativewindow_macosx.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    179452 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnewt.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose signer certificate has expired. 
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-15) or after any future revocation date.
Comment 2 Alexander Wittig 2016-02-25 22:42:54 CET 
This problem can be triggered by trying any of the official JNLP demos here: http://jogamp.org/deployment/jogamp-current/jogl-demos/test.html
Comment 3 Julien Gouesse 2016-02-26 14:21:01 CET 
Hi

In the meantime, you can follow my advises:
http://forum.jogamp.org/code-signing-cert-expired-tp4036295p4036310.html

You can add JogAmp into your exception list or you can host/bundle and sign JOGL with your own "trusted" certificate.

Sven used his personal certificate, we should have used a certificate of the JogAmp community so that someone else can renew it when he's temporarily unavailable.

By the way, I approve your suggestion about the TSA.
Comment 4 Julien Gouesse 2016-04-15 09:50:48 CEST 
Hi

I will suggest to buy a new certificate (myself) to other maintainers, I'm fed up with the current situation. If they agree with me, I'll sign the existing release with this new certificate. Sorry for the delay.
Comment 5 johan 2016-04-15 10:10:56 CEST 
(In reply to Julien Gouesse from comment #4)
> Hi
> 
> I will suggest to buy a new certificate (myself) to other maintainers, I'm
> fed up with the current situation. If they agree with me, I'll sign the
> existing release with this new certificate. Sorry for the delay.

I think users will be happy to donate some bucks to buy a new certificate. Maybe there is some kickstarter-like thing the maintainers could set up?
Comment 6 Julien Gouesse 2019-03-29 19:17:02 CET 
Should we really renew the certificate whereas Java Webstart is no longer supported? Personally, I would mark this bug report "Resolved" "Won't fix".
Comment 7 Sven Gothel 2019-03-29 19:38:29 CET 
(In reply to Julien Gouesse from comment #6)
> Should we really renew the certificate whereas Java Webstart is no longer
> supported? Personally, I would mark this bug report "Resolved" "Won't fix".

Correct. Thank you.