#14029 closed defect (fixed)
JOSM's digital signature has expired
| Reported by: | scai | Owned by: | Don-vip |
|---|---|---|---|
| Priority: | major | Milestone: | 16.12 |
| Component: | Core Webstart | Version: | tested |
| Keywords: | Cc: | Don-vip, village |
Description
When launching the web version from https://josm.openstreetmap.de/download/josm.jnlp a warning is shown. It tells that the digital signature ("Open Source Developer, Vincent PRIVAT") has expired. In fact the digital signature's validity ranges from Mon Nov 23 01:00:00 CET 2015 to Tue Nov 22 01:00:00 CET 2016.
Attachments (0)
Change History (15)
comment:1 by , 9 years ago
| Cc: | added |
|---|
comment:2 by , 9 years ago
comment:3 by , 9 years ago
| Milestone: | → 16.11 |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:4 by , 9 years ago
| Cc: | added |
|---|
follow-up: 6 comment:5 by , 9 years ago
Please use time stamped signatures because they do not expire with the signing certificate: https://docs.oracle.com/javase/tutorial/deployment/webstart/deploying.html
comment:6 by , 9 years ago
Replying to anonymous:
Please use time stamped signatures because they do not expire with the signing certificate: https://docs.oracle.com/javase/tutorial/deployment/webstart/deploying.html
Time stamping with Certum did not work anymore and was thus disabled. We should check if we can reenable it after the renewal.
comment:8 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I have re-signed the tested jar and built a new latest jar with the 2016 certificate.
comment:10 by , 9 years ago
Currently, this exception rises when using freshly downloaded jnlp from website :
com.sun.deploy.net.JARSigningException: Détection d'une entrée non signée dans la ressource : https://josm.openstreetmap.de/download/josm-tested.jar
at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
at com.sun.javaws.security.SigningInfo.check(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
comment:11 by , 9 years ago
Somehow the resigning killed all entries in the manifest except the signatures.
comment:12 by , 9 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:13 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Don't know what happened but now it's finally fixed!
comment:14 by , 9 years ago
Thanks to all!
An user reported the error, which I forwarded to talk-de.
It is good for our users to get a such quick solution, and to know about the reason for this error.
He told me that it should be possible to automatize the annual(?) update of the signature.
Bests, Markus
The renewal is in progress. A bit late this year, sorry.