This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
There is no property allowing to pass a TSA (time-stamp authority) URL to the jar signer when using the Java Webstart build feature (right-click on a module suite -> JNLP -> Build). I get this kind of warning: Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-18) or after any future revocation date. This RFE requires to modify harness/jnlp.xml, harness/common.xml (in order to pass the TSA URL to makejnlp) and org.netbeans.nbbuild.MakeJNLP (which uses a sign task to sign the JARs) to handle this (optional) parameter. Ant "signjar" task already supports the TSA URL and the TSA certificate as you can see here: http://ant.apache.org/manual/Tasks/signjar.html Look at org.apache.tools.ant.taskdefs.SignJar too: http://kickjava.com/src/org/apache/tools/ant/taskdefs/SignJar.java.htm Please consider adding the following methods into org.netbeans.nbbuild.MakeJNLP: public void setTsaUrl(String tsaUrl) { getSignTask().setTsaurl(tsaUrl); } public void setTsaCert(String tsaCert) { getSignTask().setTsacert(tsaCert); } If no TSA URL is provided, tsaurl should be null (don't use an empty string). makemasterjnlp has to be modified too.
There is the same problem with NBM signing. The updater considers a NBM is unsigned even though it is signed with a trusted certificate and there is no mean of passing a TSA URL.
If Netbeans uses Apache ant, I think this it's a bug in ant. I'm trying to sign using timestamp authority signing one jar, but it doesn't work. Here is my build.xml ant file piece of code: ... <target name="Signlib" depends="init"> <signjar alias="${alias}" keystore="${keystore}" keypass="${keypass}" storepass="${storepass}" tsa="https://timestamp.geotrust.com/tsa"> <fileseßt dir="${lib.dir}/temp" excludes="" includes="*.jar" /> </signjar> </target> My ant output is this: [signjar] Signing JAR: webstart/lib/DatosPersonales.jar to webstart/lib/DatosPersonales.jar as XXXXX-2013 [signjar] jar signed. [signjar] [signjar] Warning: [signjar] The signer certificate will expire within six months. [signjar] No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-02-05) or after any future revocation date. [signjar] Enter Passphrase for keystore: Enter key password for XXXXX-2013. My ant version: $ ant -version Apache Ant(TM) version 1.9.6 compiled on June 29 2015 I tried from jarsigner and it works: $ jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore ../misc/XXXX.jks -storepass “****" -keypass “****" DatosPersonales.jar XXXX-2013 I'm verifying like this: $ jarsigner -verify -verbose -certs DatosPersonales.jar | grep "entry" And displays: [entry was signed on 1/18/16 2:39 AM] I hope it helps solving this bug.
Please ignore my last comment #2, It was my mistake it's tsaurl insetad of tsa. Apache ant works for timestamp authority. I can't delete my comment.
Created attachment 161749 [details] NBM Time Stamping Authority See the attached patch for MakeNBM.
My previous patch just needs something like tsaurl=http://tsa.startssl.com/rfc3161 in project.properties to work. (I haven't testes tsacert, but it should work too).
Marking issue type as DEFECT since even the NBM build system complains about it: Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (yyyy-mm-dd) or after any future revocation date. Also, self-signed keytool certificates are only valid for 90 days so -tsa really seems handy for the majority of plugin developers.
Also marking as P2: > Product feature doesn't work, a workaround may exist but it's difficult to use or impractical since it's not possible to workaround this without recompiling MakeNBM.java yourself. Please review and apply the patch.