标题翻译
Why am I not getting any warnings about my java web start application that is signed with an expired certificate?
问题
我有一个Java Web Start应用程序(我将一个war部署到Tomcat,用户访问网站并下载一个jnlp文件,然后可以执行该文件)。在我的构建过程中,jar文件使用CA机构签署的证书进行了签名,据我所知没有使用时间戳。该证书最近已过期。
从war文件中提取jar文件并使用jarsigner进行检查显示:
已验证jar。
警告:
此jar包含其签名证书已过期的条目。
此jar包含的签名不包括时间戳。没有时间戳,用户在任何签名证书过期后(最早在2020-02-24)可能无法验证此jar包。
看起来:
- 用户仍然可以启动Java Web Start应用程序。
- 构建作业仍在运行,并且能够使用过期的证书进行签名。
- 部署已用过期证书签名的新构建版本仍然有效,应用程序仍然可以启动。
现在,我想知道过期的影响,是否值得更新证书并添加到密钥库中?
更新:
服务器:
- Tomcat版本 Apache Tomcat/9.0.10
- JVM版本 1.8.0_181-b13
客户端:
- Java Web Start 11.121.2.13 x86
- 使用JRE版本 1.8.0_121-b13 Java HotSpot(TM) Client VM
英文翻译
I have a java web start application (I deploy a war to Tomcat, user goes to the website and downloads a jnlp which then can be executed). In my build process the jars are signed using a CA authority signed certificate and as far as I can tell without timestamping. The certificate has recently expired.
Extracting jars from the war file and checking them using jarsigner shows:
jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2020-02-24).
It appears that:
- the users can still launch the java web start applications
- the build job still runs and is able to sign with the expired certificate
- deploying a newly built version that has been signed with the expired certificate still works and the app still launches
Now I am wondering what is the impact of that expiry, and should I even bother with renewing the certificate and adding to the keystore?
Update:
Server:
- Tomcat Version Apache Tomcat/9.0.10
- JVM Version 1.8.0_181-b13
Client:
- Java Web Start 11.121.2.13 x86
- Using JRE version 1.8.0_121-b13 Java HotSpot(TM) Client VM
专注分享java语言的经验与见解,让所有开发者获益!
评论