<div dir="ltr"><div>Hello,</div><div><br></div><div>I have currently intermittent errors with codesigning by Setico. Some signed JARs will cause a NullPointerException in jarsigner -verify:</div><div><br></div><div>"C:\Program Files\Java\jdk-14.0.2\bin\jarsigner.exe" -verify -debug adapter.deployment.util-1.95.0.jar<br>Command line args: [-verify, -debug, adapter.deployment.util-1.95.0.jar]<br>jarsigner: java.lang.NullPointerException<br>java.lang.NullPointerException<br> at java.base/sun.security.pkcs.SignerInfo.getTimestamp(SignerInfo.java:568)<br> at java.base/sun.security.util.SignatureFileVerifier.getSigners(SignatureFileVerifier.java:728)<br> at java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:300)<br> at java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:268)<br> at java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)<br> at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:230)<br> at java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:759)<br> at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:840)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.verifyJar(Main.java:698)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:264)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:118)</div><div><br></div><div>(this is <a href="http://java.net">java.net</a> 14 GA release, also happens on Zulu-8)</div><div><br></div><div>Looking at the code this seems to be a TS validation error suppressed internally. And indeed, if I try to validate the Timestamp in the PKCS7 SECTIGO_.RSA file (with bouncycastle) it tells me that it looks like the TSA has provided the wrong certificate.</div><div><br></div><div>This is of course something I need to check with Setigo (anybody has same experience?).</div><div><br></div><div>However there are two questions:</div><div><br></div><div>a) should jarsigner when signing with a TSA do some validation, especially on the received timestamp object? (I cant try different jarsigner for signing due to isolated sign server, I think the version who created the signature is java8).<br></div><div><br></div><div>b) should the TS validation in jarsigner -verify be either ignored/skipped (in some other places it looks like the same exception is already catched and ignored) or should it throw a more qualified error than a NPE (in -strict mode).</div><div><br></div><div>Gruss</div><div>Bernd<br></div><div><br></div><div>BC Test Code:</div><div><br></div><div><a href="https://gist.github.com/ecki/42aaa3a8621344c1cd0034c440a73400" target="_blank">https://gist.github.com/ecki/42aaa3a8621344c1cd0034c440a73400</a></div><div><br></div><div><br></div><div>Failed Sectigo Signature:</div><div><br></div><div>
SECTIGO_.RSA:<br><a href="https://mft.seeburger.de:443/portal-seefx/~public/ZjgwNzgxNWItZGE5MC00MWU2LWFkYWUtOWNkNzkwMTdmODI5?download" target="_blank">https://mft.seeburger.de:443/portal-seefx/~public/ZjgwNzgxNWItZGE5MC00MWU2LWFkYWUtOWNkNzkwMTdmODI5?download</a>
</div><div><br></div><div>(i can share the test jar privately only)<br></div><div><br></div><div>
<div>BC Test Result (failed):</div>
</div><div><br></div><div>TS validating sig file: SECTIGO_.RSA<br>Signature has 3 certs.<br>Has 1 signers<br>Has 1 timestamps<br>TS Signer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br>TS generated: Fri Jul 17 15:43:20 CEST 2020<br>Checking C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping Signer #1 <- C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br>Failed org.bouncycastle.tsp.TSPValidationException: signature not created by certificate.<br> at org.bouncycastle.tsp.TimeStampToken.validate(Unknown Source)<br> at net.eckenfels.test.jartest.JarTimestampChecker.main(JarTimestampChecker.java:87)</div><div><br></div><div>(I tested with a signature from Comodo and the test program worked)</div><div><br></div></div>