How to validate if a signed jar contains a timestamp?

java jar digital-signature code-signing trusted-timestamp
user199092 picture user199092 · Oct 30, 2009 · Viewed 13.8k times · Source

After a jar is signed and the -tsa option was used, how can I validate that the time stamp was included? I tried:

jarsigner -verify -verbose -certs myApp.jar

But the output does not specify anything about the time stamp. I'm asking because even if I have a typo in the -tsa URL path, the jarsigner succeeds. This is the GlobalSign TSA URL: http://timestamp.globalsign.com/scripts/timstamp.dll and the server behind it apparently accepts any path (ie. timestamp.globalsign.com/foobar), so in the end I'm not really sure my jar is time stamped or not.

Answer

Andrei T picture Andrei T · Jun 16, 2014

From https://blogs.oracle.com/mullan/entry/how_to_determine_if_a:

You can use the jarsigner utility to determine if a signed JAR has been timestamped as follows:

jarsigner -verify -verbose -certs signed.jar

where signed.jar is the name of your signed JAR. If it is timestamped, the output will include lines of the following indicating the time it was signed:

[entry was signed on 8/2/13 3:48 PM]

If the JAR is not timestamped, the output will not include those lines.

Related questions

Can't execute jar- file: "no main manifest attribute"

I have installed an application, when I try to run it (it's an executable jar) nothing happens. When I run it from the commandline with: java -jar "app.jar" I get the following message: no main manifest attribute, in "app.…

Read More
Running JAR file on Windows

I have a JAR file named helloworld.jar. In order to run it, I'm executing the following command in a command-line window: java -jar helloworld.jar This works fine, but how do I execute it with double-click instead? Do I …

Read More
How to import a jar in Eclipse

How do I import a jar in Eclipse?

Read More