What is the URL of a timestamp server for jarsigner?

[Mark Riordan]

In Java 5.0, jarsigner is now able to access a timestamp server
to put a timestamp in the signature.
However, I cannot find a timestamp server that is compatible
with jarsigner.

For example, when I do:

jarsigner -tsa http://timestamp.verisign.com/scripts/timstamp.dll -keystore
my.keystore -storepass mystorepass MyApplet.jar mycert

I get:

jarsigner: unable to sign jar: java.io.IOException: MIME Content-Type is not
application/timestamp-reply

Extensive Googling has given me all sorts of hints on how to
timestamp with Microsoft Authenticode, but that does not apply
to Java.

Can anyone help?

Thanks.

Mark Riordan

 

[Roedy Green]

jarsigner: unable to sign jar: java.io.IOException: MIME Content-Type is not
application/timestamp-reply

Verisign's service I believe is only available if you bought your code
signing cert from Verisign.

see http://mindprod.com/jgloss/timestamp.html

 

[Roedy Green]

jarsigner: unable to sign jar: java.io.IOException: MIME Content-Type is not
application/timestamp-reply

What is supposed to happen, is if the CA does not want to sign your
request, it is supposed to return the correct mime type with a
human-readable trailer error message.

Did you buy your code-signing cert from Verisign? If so, check up on
their website about timestamping and make sure you are properly
registered for the service.

I found a test suite for timestamping, but only 2 actual timestamp
services that use the Java protocol. The world is suffering from too
many standards.

 

[Mark Riordan`]

Did you buy your code-signing cert from Verisign? If so, check up on
their website about timestamping and make sure you are properly
registered for the service.

I bought it from Thawte (owned by Verisign).
Neither Thawte nor Verisign knows anything about Java.

I found a test suite for timestamping, but only 2 actual timestamp
services that use the Java protocol. The world is suffering from too
many standards.

Can you share the URL for those services?

Thanks!

Mark R

(P. S. I couldn't decode your spamified email address.)

 

[Roedy Green]

Can you share the URL for those services?

see http://mindprod.com/jgloss/timestamp.html

The protocol 3631 was originally for Microsoft CAB and visual basic
files. Fortunately, it was designed to be extensible to arbitrary code
signing, now Java is using it.

As I say in my essay, even after searching for over an hour, I could
find only two 3631 timestamping services. There are products to set
up your own timestamp service though, but you really need an
arms-length third party since you could easily fudge your own service.

 

[timestamp]

Necromancing this old thread to point out that a free TSA timestamp server is available here, using a well known root (Equifax):
https://timestamp.geotrust.com/tsa

More details on the VeriSign page:
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185

Don't forget about the proxy params for HTTPS:
-J-Dhttps.proxyHost=<hostname>
-J-Dhttps.proxyPort=<portnumber>

(For a plain HTTP timestamp server, the proxy params are called -J-Dhttp.proxyHost and -J-Dhttp.proxyPort)