This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Missing support of time-stamp authority in NBM jar signing and Java Webstart build | ||
---|---|---|---|
Product: | apisupport | Reporter: | gouessej |
Component: | Harness | Assignee: | pgebauer <pgebauer> |
Status: | NEW --- | ||
Severity: | normal | CC: | danielferber, emi, gouessej, j2gl, neigor |
Priority: | P2 | ||
Version: | 8.2 | ||
Hardware: | PC | ||
OS: | All | ||
See Also: | https://netbeans.org/bugzilla/show_bug.cgi?id=243782 | ||
Issue Type: | DEFECT | Exception Reporter: | |
Attachments: | NBM Time Stamping Authority |
Description
gouessej
2014-03-24 12:45:33 UTC
There is the same problem with NBM signing. The updater considers a NBM is unsigned even though it is signed with a trusted certificate and there is no mean of passing a TSA URL. If Netbeans uses Apache ant, I think this it's a bug in ant. I'm trying to sign using timestamp authority signing one jar, but it doesn't work. Here is my build.xml ant file piece of code: ... <target name="Signlib" depends="init"> <signjar alias="${alias}" keystore="${keystore}" keypass="${keypass}" storepass="${storepass}" tsa="https://timestamp.geotrust.com/tsa"> <fileseßt dir="${lib.dir}/temp" excludes="" includes="*.jar" /> </signjar> </target> My ant output is this: [signjar] Signing JAR: webstart/lib/DatosPersonales.jar to webstart/lib/DatosPersonales.jar as XXXXX-2013 [signjar] jar signed. [signjar] [signjar] Warning: [signjar] The signer certificate will expire within six months. [signjar] No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-05) or after any future revocation date. [signjar] Enter Passphrase for keystore: Enter key password for XXXXX-2013. My ant version: $ ant -version Apache Ant(TM) version 1.9.6 compiled on June 29 2015 I tried from jarsigner and it works: $ jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore ../misc/XXXX.jks -storepass “****" -keypass “****" DatosPersonales.jar XXXX-2013 I'm verifying like this: $ jarsigner -verify -verbose -certs DatosPersonales.jar | grep "entry" And displays: [entry was signed on 1/18/16 2:39 AM] I hope it helps solving this bug. Please ignore my last comment #2, It was my mistake it's tsaurl insetad of tsa. Apache ant works for timestamp authority. I can't delete my comment. Created attachment 161749 [details]
NBM Time Stamping Authority
See the attached patch for MakeNBM.
My previous patch just needs something like tsaurl=http://tsa.startssl.com/rfc3161 in project.properties to work. (I haven't testes tsacert, but it should work too). Marking issue type as DEFECT since even the NBM build system complains about it: Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (yyyy-mm-dd) or after any future revocation date. Also, self-signed keytool certificates are only valid for 90 days so -tsa really seems handy for the majority of plugin developers. Also marking as P2:
> Product feature doesn't work, a workaround may exist but it's difficult to use or impractical
since it's not possible to workaround this without recompiling MakeNBM.java yourself.
Please review and apply the patch.
|