This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 243213 - Missing support of time-stamp authority in NBM jar signing and Java Webstart build
Summary: Missing support of time-stamp authority in NBM jar signing and Java Webstart ...
Status: NEW
Alias: None
Product: apisupport
Classification: Unclassified
Component: Harness (show other bugs)
Version: 8.2
Hardware: PC All
: P2 normal with 9 votes (vote)
Assignee: pgebauer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-24 12:45 UTC by gouessej
Modified: 2016-11-28 06:46 UTC (History)
5 users (show)

See Also:
Issue Type: DEFECT
Exception Reporter:


Attachments
NBM Time Stamping Authority (2.69 KB, patch)
2016-08-22 21:24 UTC, emi
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description gouessej 2014-03-24 12:45:33 UTC
There is no property allowing to pass a TSA (time-stamp authority) URL to the jar signer when using the Java Webstart build feature (right-click on a module suite -> JNLP -> Build). I get this kind of warning:
Warning: 
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-18) or after any future revocation date.

This RFE requires to modify harness/jnlp.xml, harness/common.xml (in order to pass the TSA URL to makejnlp) and org.netbeans.nbbuild.MakeJNLP (which uses a sign task to sign the JARs) to handle this (optional) parameter.

Ant "signjar" task already supports the TSA URL and the TSA certificate as you can see here:
http://ant.apache.org/manual/Tasks/signjar.html

Look at org.apache.tools.ant.taskdefs.SignJar too:
http://kickjava.com/src/org/apache/tools/ant/taskdefs/SignJar.java.htm

Please consider adding the following methods into org.netbeans.nbbuild.MakeJNLP:
public void setTsaUrl(String tsaUrl) {
    getSignTask().setTsaurl(tsaUrl);
}

public void setTsaCert(String tsaCert) {
    getSignTask().setTsacert(tsaCert);
}

If no TSA URL is provided, tsaurl should be null (don't use an empty string).

makemasterjnlp has to be modified too.
Comment 1 gouessej 2014-03-27 10:32:50 UTC
There is the same problem with NBM signing. The updater considers a NBM is unsigned even though it is signed with a trusted certificate and there is no mean of passing a TSA URL.
Comment 2 j2gl 2016-01-18 08:40:20 UTC
If Netbeans uses Apache ant, I think this it's a bug in ant.  

I'm trying to sign using timestamp authority signing one jar, but it doesn't work.  

Here is my build.xml ant file piece of code:

...
  <target name="Signlib" depends="init">
    <signjar alias="${alias}" keystore="${keystore}" keypass="${keypass}" storepass="${storepass}"
             tsa="https://timestamp.geotrust.com/tsa">
      <fileseßt dir="${lib.dir}/temp" excludes="" includes="*.jar" />
    </signjar>
  </target>

My ant output is this: 

  [signjar] Signing JAR: webstart/lib/DatosPersonales.jar to webstart/lib/DatosPersonales.jar as XXXXX-2013
  [signjar] jar signed.
  [signjar] 
  [signjar] Warning: 
  [signjar] The signer certificate will expire within six months.
  [signjar] No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-05) or after any future revocation date.
  [signjar] Enter Passphrase for keystore: Enter key password for XXXXX-2013.

My ant version:

$ ant -version
Apache Ant(TM) version 1.9.6 compiled on June 29 2015

I tried from jarsigner and it works: 

$ jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore ../misc/XXXX.jks -storepass “****" -keypass “****" DatosPersonales.jar XXXX-2013

I'm verifying like this:
$ jarsigner -verify -verbose -certs DatosPersonales.jar | grep "entry"

And displays: 
  [entry was signed on 1/18/16 2:39 AM]

I hope it helps solving this bug.
Comment 3 j2gl 2016-01-18 09:15:53 UTC
Please ignore my last comment #2, It was my mistake it's tsaurl insetad of tsa.  Apache ant works for timestamp authority.  I can't delete my comment.
Comment 4 emi 2016-08-22 21:24:10 UTC
Created attachment 161749 [details]
NBM Time Stamping Authority

See the attached patch for MakeNBM.
Comment 5 emi 2016-08-22 21:25:58 UTC
My previous patch just needs something like

tsaurl=http://tsa.startssl.com/rfc3161

in project.properties to work. (I haven't testes tsacert, but it should work too).
Comment 6 emi 2016-11-28 06:41:47 UTC
Marking issue type as DEFECT since even the NBM build system complains about it:

Warning: 
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (yyyy-mm-dd) or after any future revocation date.

Also, self-signed keytool certificates are only valid for 90 days so -tsa really seems handy for the majority of plugin developers.
Comment 7 emi 2016-11-28 06:46:42 UTC
Also marking as P2:

> Product feature doesn't work, a workaround may exist but it's difficult to use or impractical

since it's not possible to workaround this without recompiling MakeNBM.java yourself.

Please review and apply the patch.