Bug 1293 - JAR signing certificate expired
Summary: JAR signing certificate expired
Status: RESOLVED WONTFIX
Alias: None
Product: General
Classification: JogAmp
Component: infrastructure (show other bugs)
Version: 2.4.0
Hardware: All all
: P4 normal
Assignee: Sven Gothel
URL:
Depends on:
Blocks:
 
Reported: 2016-02-25 22:25 CET by Alexander Wittig
Modified: 2019-03-29 19:38 CET (History)
2 users (show)

See Also:
Type: DEFECT
SCM Refs:
Workaround: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Wittig 2016-02-25 22:25:27 CET
The certificate used to sign the JAR files served for WebStart enabled applications are signed with a certificate that expired on 2/15/2016. Thus no WebStart applications relying on the jar files served from http://jogamp.org/deployment/jogamp-current/ can run any more because (at least) recent versions of Java refuse to run code signed with expired certificates.

To fix this problem, all jar files hosted on jogamp.org need to be resigned with a valid certificate. To avoid this problem from occurring in the future, it may be a good idea to also use a timestamp server when signing. This way, the certificate must only be valid at the time of signing and the jar does not expire when the certificate does. This can be achieved by adding a -tsa switch to the jarsigner command such as:
jarsigner -tsa http://timestamp.digicert.com -storepass XXX -keystore codesigning.keystore jogl.jar ...

Last time I used this, no business relation with digicert was needed (i.e. no certificate from them) to use their timestamping service as shown above.
Comment 1 Alexander Wittig 2016-02-25 22:28:15 CET
For reference, here the output of
jarsigner -verbose -certs -verify jogl-all-natives-macosx-universal.jar
(selected randomly, applies to all jars):

s       1415 Sat Oct 10 05:09:22 CEST 2015 META-INF/MANIFEST.MF

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

         797 Sat Oct 10 05:09:22 CEST 2015 META-INF/JOGAMP04.SF
        3779 Sat Oct 10 05:09:22 CEST 2015 META-INF/JOGAMP04.RSA
sm       159 Sat Oct 10 03:13:50 CEST 2015 jogamp/nativetag/opengl/macosx/universal/TAG.class

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    1740756 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libjogl_desktop.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    852328 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libjogl_mobile.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm     29808 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnativewindow_awt.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm     87988 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnativewindow_macosx.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]

sm    179452 Sat Oct 10 03:13:50 CEST 2015 natives/macosx-universal/libnewt.jnilib

      X.509, CN=Sven Gothel, OU=Individual Developer, O=No Organization Affiliation, L=Bremerhaven, ST=Bremen, C=DE
      [certificate expired on 2/15/16 12:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      [certificate is valid from 11/17/06 1:00 AM to 7/17/36 1:59 AM]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose signer certificate has expired. 
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-15) or after any future revocation date.
Comment 2 Alexander Wittig 2016-02-25 22:42:54 CET
This problem can be triggered by trying any of the official JNLP demos here: http://jogamp.org/deployment/jogamp-current/jogl-demos/test.html
Comment 3 Julien Gouesse 2016-02-26 14:21:01 CET
Hi

In the meantime, you can follow my advises:
http://forum.jogamp.org/code-signing-cert-expired-tp4036295p4036310.html

You can add JogAmp into your exception list or you can host/bundle and sign JOGL with your own "trusted" certificate.

Sven used his personal certificate, we should have used a certificate of the JogAmp community so that someone else can renew it when he's temporarily unavailable.

By the way, I approve your suggestion about the TSA.
Comment 4 Julien Gouesse 2016-04-15 09:50:48 CEST
Hi

I will suggest to buy a new certificate (myself) to other maintainers, I'm fed up with the current situation. If they agree with me, I'll sign the existing release with this new certificate. Sorry for the delay.
Comment 5 johan 2016-04-15 10:10:56 CEST
(In reply to Julien Gouesse from comment #4)
> Hi
> 
> I will suggest to buy a new certificate (myself) to other maintainers, I'm
> fed up with the current situation. If they agree with me, I'll sign the
> existing release with this new certificate. Sorry for the delay.

I think users will be happy to donate some bucks to buy a new certificate. Maybe there is some kickstarter-like thing the maintainers could set up?
Comment 6 Julien Gouesse 2019-03-29 19:17:02 CET
Should we really renew the certificate whereas Java Webstart is no longer supported? Personally, I would mark this bug report "Resolved" "Won't fix".
Comment 7 Sven Gothel 2019-03-29 19:38:29 CET
(In reply to Julien Gouesse from comment #6)
> Should we really renew the certificate whereas Java Webstart is no longer
> supported? Personally, I would mark this bug report "Resolved" "Won't fix".

Correct. Thank you.