everything working even with expired code signing cert

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
gkatz
Posts: 4
Joined: 22 Nov 2023, 13:32

everything working even with expired code signing cert

Post by gkatz »

hi all; using ows with eclipse tumerin 17and a code signing cert that expired 12 days ago...

my builds continue as usual and even though the jar signing logs now say the cert is expired, the build and jar signing passes and the JNLP file can be launched with no issues, no prompts or anything. everythinkg seems to magically keep on working. its like no one cares that the code signing cert has expired

can someone explain this? i would expect the build to fail and/or the browser/ows runtime to reject the jar downloading due to the fact they arent signed with a valid cert... i am confused. any comments would be appreciated. thanks.

here is a log output from jar signing of a single jar (there are more like this):
[signjar] The signer certificate expired on 2024-03-09. However, the JAR will be valid until the timestamp expires on 2031-11-10.
[signjar] jar signed.

Janak Mulani
Posts: 929
Joined: 24 Mar 2020, 13:37

Re: everything working even with expired code signing cert

Post by Janak Mulani »

OWS is not responsible for the build and jar signing.

OWS checks the jar signing only after downloading the jar.

If a jar has problematic certificate such as expired/expiring/invalid certificate you will see a log entry:" Jar found at <path to jar in the cache> has been verified as SIGNED_NOT_OK"

gkatz
Posts: 4
Joined: 22 Nov 2023, 13:32

Re: everything working even with expired code signing cert

Post by gkatz »

oh ok so only logs from OWS will show this? it will not halt the application or not laynch it?

danmoser
Posts: 9
Joined: 08 Mar 2023, 18:38

Re: everything working even with expired code signing cert

Post by danmoser »

@gkatz I'm also interested in this issue. I've executed an app signed with expired cert and that's what happened:

- If the certificate is unknown to the User/System, a "Security Warning" window will be displayed asking the user to Run the app w/ the option "Always trust this publisher". If that's enabled, the cert will be "known" by OWS

- If the certificate is known, the app will be executed normally, and you can only see the mention to the corresponding cert in the Log.

You can check the known certificates in the `itw-settings`: https://openwebstart.com/docs/OWSGuide. ... rtificates

Post Reply