问题描述
当我尝试像下面这样在 jar 中自我登录时.
When I was trying to self-sign in the jar like below.
jarsigner -keystore my keystore myjar.jar myalias
它给出如下警告:
没有提供 -tsa 或 -tsacert 并且这个 jar 没有时间戳.如果没有时间戳,用户可能无法在签名者证书到期日期 (2014-05-08) 或任何未来撤销日期之后验证此 jar.
请帮助解决问题.
推荐答案
最近的 Java 7 提供了一个(礼貌的?)警告,关于一些已经存在了十年的东西......
The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...
可信时间戳是在 Java 5 (2004) 中引入的.这样做的动机是为了让开发人员不会在证书过期时被迫每年重新签署部署的 JAR 文件".
Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.
→http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html
基于 URL 的时间戳机构 (TSA) 通常由颁发证书的证书颁发机构 (CA) 提供,以使用 CA 颁发的相同证书.例如可以通过如下方式访问digicert tsa url:
A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificates the CA issued. For example, the digicert tsa url can be access as follows:
jarsigner -tsa http://timestamp.digicert.com [.. 其他选项]
→http://www.digicert.com/code-signing/java-code-signing-guide.htm
带有自签名证书的时间戳可能是一个难以实现的目标,因为 (1) TSA 时间戳需要是可信的公平交易(排除自签名"),并且(2) 典型的 TSA URL 被设置为使用同一 CA 组织提供的证书(即 TSA URL 不处理自签名证书)
Time stamping with self-signed certificate may be an elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)
更新:
尝试为自签名证书添加时间戳的 URL:
URLs to try for timestamping self-signed certificates:
- 赛门铁克:
-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp(根据 brad-turek 的评论)
- Symantec:
-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp(per comment by brad-turek)
对于专用网络,可以考虑使用内部时间戳机构,例如 Thales (nCipher) 时间戳服务器(或历史上的 OpenTSA)
这篇关于-tsa 或 -tsacert 时间戳,用于小程序 jar 自签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!