Bug 243213 - Missing support of time-stamp authority in NBM jar signing and Java Webstart build
Missing support of time-stamp authority in NBM jar signing and Java Webstart ...
Status: NEW
Product: apisupport
Classification: Unclassified
Component: Harness
8.2
PC All
: P2 with 9 votes (vote)
: TBD
Assigned To: pgebauer
issues@apisupport
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-24 12:45 UTC by gouessej
Modified: 2016-11-28 06:46 UTC (History)
5 users (show)

See Also:
Issue Type: DEFECT
:


Attachments
NBM Time Stamping Authority (2.69 KB, patch)
2016-08-22 21:24 UTC, emi
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description gouessej 2014-03-24 12:45:33 UTC
There is no property allowing to pass a TSA (time-stamp authority) URL to the jar signer when using the Java Webstart build feature (right-click on a module suite -> JNLP -> Build). I get this kind of warning:
Warning: 
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-18) or after any future revocation date.

This RFE requires to modify harness/jnlp.xml, harness/common.xml (in order to pass the TSA URL to makejnlp) and org.netbeans.nbbuild.MakeJNLP (which uses a sign task to sign the JARs) to handle this (optional) parameter.

Ant "signjar" task already supports the TSA URL and the TSA certificate as you can see here:
http://ant.apache.org/manual/Tasks/signjar.html

Look at org.apache.tools.ant.taskdefs.SignJar too:
http://kickjava.com/src/org/apache/tools/ant/taskdefs/SignJar.java.htm

Please consider adding the following methods into org.netbeans.nbbuild.MakeJNLP:
public void setTsaUrl(String tsaUrl) {
    getSignTask().setTsaurl(tsaUrl);
}

public void setTsaCert(String tsaCert) {
    getSignTask().setTsacert(tsaCert);
}

If no TSA URL is provided, tsaurl should be null (don't use an empty string).

makemasterjnlp has to be modified too.
Comment 1 gouessej 2014-03-27 10:32:50 UTC
There is the same problem with NBM signing. The updater considers a NBM is unsigned even though it is signed with a trusted certificate and there is no mean of passing a TSA URL.
Comment 2 j2gl 2016-01-18 08:40:20 UTC
If Netbeans uses Apache ant, I think this it's a bug in ant.  

I'm trying to sign using timestamp authority signing one jar, but it doesn't work.  

Here is my build.xml ant file piece of code:

...
  <target name="Signlib" depends="init">
    <signjar alias="${alias}" keystore="${keystore}" keypass="${keypass}" storepass="${storepass}"
             tsa="https://timestamp.geotrust.com/tsa">
      <fileseßt dir="${lib.dir}/temp" excludes="" includes="*.jar" />
    </signjar>
  </target>

My ant output is this: 

  [signjar] Signing JAR: webstart/lib/DatosPersonales.jar to webstart/lib/DatosPersonales.jar as XXXXX-2013
  [signjar] jar signed.
  [signjar] 
  [signjar] Warning: 
  [signjar] The signer certificate will expire within six months.
  [signjar] No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-05) or after any future revocation date.
  [signjar] Enter Passphrase for keystore: Enter key password for XXXXX-2013.

My ant version:

$ ant -version
Apache Ant(TM) version 1.9.6 compiled on June 29 2015

I tried from jarsigner and it works: 

$ jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore ../misc/XXXX.jks -storepass “****" -keypass “****" DatosPersonales.jar XXXX-2013

I'm verifying like this:
$ jarsigner -verify -verbose -certs DatosPersonales.jar | grep "entry"

And displays: 
  [entry was signed on 1/18/16 2:39 AM]

I hope it helps solving this bug.
Comment 3 j2gl 2016-01-18 09:15:53 UTC
Please ignore my last comment #2, It was my mistake it's tsaurl insetad of tsa.  Apache ant works for timestamp authority.  I can't delete my comment.
Comment 4 emi 2016-08-22 21:24:10 UTC
Created attachment 161749 [details]
NBM Time Stamping Authority

See the attached patch for MakeNBM.
Comment 5 emi 2016-08-22 21:25:58 UTC
My previous patch just needs something like

tsaurl=http://tsa.startssl.com/rfc3161

in project.properties to work. (I haven't testes tsacert, but it should work too).
Comment 6 emi 2016-11-28 06:41:47 UTC
Marking issue type as DEFECT since even the NBM build system complains about it:

Warning: 
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (yyyy-mm-dd) or after any future revocation date.

Also, self-signed keytool certificates are only valid for 90 days so -tsa really seems handy for the majority of plugin developers.
Comment 7 emi 2016-11-28 06:46:42 UTC
Also marking as P2:

> Product feature doesn't work, a workaround may exist but it's difficult to use or impractical

since it's not possible to workaround this without recompiling MakeNBM.java yourself.

Please review and apply the patch.


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2014, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo