File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JNLP and Web Start and the fly likes Do code sign timestamps actually work? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JNLP and Web Start
Bookmark "Do code sign timestamps actually work?" Watch "Do code sign timestamps actually work?" New topic

Do code sign timestamps actually work?

Martin White

Joined: Apr 16, 2011
Posts: 4

This is a question I've been asking myself a lot today, and it has to be said, from a LOT of searching on the internet, I'm far from alone. Where I seem to be alone though is in my pursuit of an answer

Loads of times I see the question asked, and loads of times I see the answer is that in order for the browser to take any notice of the TSA's time stamping, the authority needs to have been one that is in the JRE's trusted root store (cacerts usually). And that's where most people seem to stop asking. I never know whether it worked for them or they just gave up.

For me, I've tried umpteen different URLs to the -tsa argument and they all seem to work ok. Most have come from responses where people say it needs to be a trusted root so use this one. I've even found some code online that claims to verify there is a timestamp in there (but doesn't go as far as proving the validity of the timestamp), but whatever I do, when I put the date of my machine forward by a year and load up the app via the JNLP link, sure enough my browser complains that the code was signed with a certificate that has now expired. I'm getting to the point of being pretty much stumped!!

My setup is OS X Lion, with the latest java from whoever supplies it these days (1.6.0_29) and I'm using Safari 5.1.3.

I've even gone to the extent of modifying the maven web start plugin to allow me to time stamp the jars during the maven build process and afterwards I was going to look to uploading that to the project (since it's not in there at the moment) but if it's all in vein then there's little point, and indeed may explain why it wasn't in the maven plugin in the first place

Any pointers please anyone??

Martin White

Joined: Apr 16, 2011
Posts: 4

sadaf malik

Joined: Jul 11, 2012
Posts: 1
thank you martin white its help full
I agree. Here's the link:
subject: Do code sign timestamps actually work?
It's not a secret anymore!