Java -tsa 或 -tsacert 时间戳,用于小程序 jar 自签名
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21695520/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
-tsa or -tsacert timestamp for applet jar self-signed
提问by Raja Peela
When I was trying to self-sign in the jar like below.
当我尝试像下面这样在 jar 中自我登录时。
jarsigner -keystore my keystore myjar.jar myalias
It gives warning like:
它发出如下警告:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2014-05-08) or after any future revocation date.
没有提供 -tsa 或 -tsacert 并且这个 jar 没有时间戳。如果没有时间戳,用户可能无法在签名者证书的到期日期 (2014-05-08) 或任何未来撤销日期之后验证此 jar。
Please help to resolve the problem.
请帮助解决问题。
采纳答案by l --marc l
The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...
最近的 Java 7 提供了一个(礼貌?)警告关于已经存在了十年的东西......
Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.
可信时间戳是在 Java 5 (2004) 中引入的。这样做的动机是,当证书过期时,开发人员不会被迫“每年重新签署部署的 JAR 文件”。
→ http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html
→ http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html
A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificatesthe CA issued. For example, the digicert tsa url can be access as follows:
基于 URL 的时间戳机构 (TSA) 通常由颁发证书的证书颁发机构 (CA) 提供,以使用CA 颁发的相同证书。例如,可以通过以下方式访问 digicert tsa url:
jarsigner -tsa http://timestamp.digicert.com [.. other options]
jarsigner -tsa http://timestamp.digicert.com [.. other options]
→ http://www.digicert.com/code-signing/java-code-signing-guide.htm
→ http://www.digicert.com/code-signing/java-code-signing-guide.htm
Time stamping with self-signed certificate may bean elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)
使用自签名证书进行时间戳可能是一个难以实现的目标,因为 (1) TSA 时间戳需要是可信的公平交易(排除“自签名”),以及 (2) 设置了典型的 TSA URL 以使用由同一 CA 组织提供的证书(即 TSA URL 不处理自签名证书)
Update:
更新:
URLs to try for timestamping self-signed certificates:
尝试为自签名证书添加时间戳的 URL:
- Symantec:
-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp(per comment by brad-turek)
- 赛门铁克:(
-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp根据 brad-turek 的评论)
For a private network, one could consider an internal Timestamp Authority such as such as Thales (nCipher) Time Stamp Server (or historically OpenTSA)
对于专用网络,可以考虑使用内部时间戳机构,例如 Thales (nCipher) 时间戳服务器(或历史上的 OpenTSA)
回答by Timmy
This error is caused if updates were made with JDK Java/Oracle 1.7 u51. This JDK is NOT identical to the previous one.
如果使用 JDK Java/Oracle 1.7 u51 进行更新,则会导致此错误。这个 JDK 与前一个不同。
You can install a previous version of the JDK BEFORE u51 (for exemple 1.7u45), or install JDK 6.
您可以在 u51 之前安装先前版本的 JDK(例如 1.7u45),或安装 JDK 6。
Then, when you re-compile, you won't see the error.
然后,当您重新编译时,您将不会看到错误。
回答by Malte
This warning tells you that your jar's certificate will expire in may. Hence, users will not be able to execute your program after this date.
此警告告诉您 jar 的证书将在 5 月到期。因此,在此日期之后,用户将无法执行您的程序。
To improve the situation, the timestamp feature was added. This way, you can tell users: "I used the certificate at this point of time (which is provided and verified by the time stamp agency - tsa), when it was still valid!" As long as you do not change and resign your jar, it will still run, even after the certificate expires, because users see that at the point of creation the certificate was indeed valid.
为了改善这种情况,添加了时间戳功能。通过这种方式,您可以告诉用户:“我在这个时间点使用了证书(由时间戳机构 - tsa 提供并验证),当时它仍然有效!” 只要您不更改和退出您的 jar,它仍然会运行,即使在证书过期后,因为用户看到在创建时证书确实有效。
For reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html
供参考:http: //docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html
tl;dr: if you ignore the warning, your jar won't run after 14-05-08. Add a timestamp, and it will still run as long as you don't modify anything.
tl;dr:如果您忽略警告,您的 jar 将不会在 14-05-08 之后运行。添加时间戳,只要您不修改任何内容,它仍然会运行。
Regards
问候
回答by vedant shirke
I was facing the same problem. Without the timestamp the jar would not get signed.
我面临同样的问题。如果没有时间戳,jar 将不会被签名。
When you add -tsa http://timestamp.digicert.com, it would not give any warning or error but still the jar would not be signed.
添加时-tsa http://timestamp.digicert.com,它不会发出任何警告或错误,但仍然不会对 jar 进行签名。
But then I added the following part and it worked for me.
但后来我添加了以下部分,它对我有用。
-tsacert alias
So, basically my final command was
所以,基本上我的最终命令是
jarsigner -verbose -tsa http://timestamp.digicert.com -tsacert alias -sigalg SHA256withRSA -digestalg SHA1 -keystore my-release-key.keystore android-release-unsigned.apk alias_name
Remember the alias_namein the command and the one in keystoreshould be the same.
记住alias_name命令中的in 和 inkeystore应该是一样的。
