Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Orbit contribute directly to simrel

My understanding is if the JAR file is not signed with a trusted TSA then there is no verification that the timestamp used at signing time is accurate.  In other words someone with a compromised signing certificate could sign the JAR and backdate it to the valid range of the certificate.  At some point I thought the Eclipse Foundation JAR signing mechanism offered a way to use a TSA during the signing process.  I'm not sure if the JAR in question has a TSA or not:

https://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html

Tom
 
 
 
----- Original message -----
From: Pierre-Charles David <pierre-charles.david@xxxxxxx>
Sent by: orbit-dev-bounces@xxxxxxxxxxx
To: orbit-dev@xxxxxxxxxxx
Cc:
Subject: [EXTERNAL] Re: [orbit-dev] Orbit contribute directly to simrel
Date: Thu, Dec 3, 2020 2:05 AM
 
Le 26/11/2020 à 19:55, Jonah Graham a écrit :
 
However there is some technical debt that needs to be dealt with at some point. I think the signatures in the batik 1.6 bundles are now out of date. IIUC they will be fully invalid at the end of 2020. The bundles with the soon to expire signatures that are in current Orbit got resigned: https://bugs.eclipse.org/bugs/show_bug.cgi?id=553288
 
$ jarsigner -verify -verbose:summary -certs ~/Downloads/org.apache.batik.css_1.6.0.v201011041432.jar 
 
which has in its output:
 
      [certificate will expire on 31/12/2020, 18:59]


Pardon me if this is naive, I am by no means an expert on these matters, but thinking about this I'm not sure I understand the issue, or the concrete impacts it can have.

I understand that the certificate owned by the foundation is only valid for a certain time, and must be renewed from time to time to ensure the organisation is still alive/legitimate/trustworthy. But if an artifact (here a Batik 1.6 JAR) has been signed at a time when the certificate was valid, and thus the EF assumed trustworthy, how can the signature itself become invalid later? Surely the bits in the JAR are the same as they have always been, and will not magically become different/corrupt/evil on 2021-01-01.

If there is indeed an issue, what concrete effects can we expect when e.g. installing GMF (which embed the Batik 1.6 JARs in its repo) in an Eclipse instance after 31/12/2020?

 

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
 


Back to the top