After a jar is signed and the -tsa option was used, how can I validate that the time stamp was included? I tried:
jarsigner -verify -verbose -certs myApp.jar
But the output does not specify anything about the time stamp. I'm asking because even if I have a typo in the -tsa URL path, the jarsigner succeeds. This is the GlobalSign TSA URL: http://timestamp.globalsign.com/scripts/timstamp.dll and the server behind it apparently accepts any path (ie. timestamp.globalsign.com/foobar), so in the end I'm not really sure my jar is time stamped or not.
From https://blogs.oracle.com/mullan/entry/how_to_determine_if_a:
You can use the jarsigner utility to determine if a signed JAR has been timestamped as follows:
jarsigner -verify -verbose -certs signed.jar
where
signed.jar
is the name of your signed JAR. If it is timestamped, the output will include lines of the following indicating the time it was signed:
[entry was signed on 8/2/13 3:48 PM]
If the JAR is not timestamped, the output will not include those lines.