I signed a jar (of an applet) with timestamp 2 years ago. The cert is about to expire. What will happen? Will there be a warning to the user, will it simply work? Will it stop working?
I didn't add any specific code to the applet to deal with the timestamp. I only included the -tsa url when signing.
Edit: it keeps working.
Prior to Java 5 SE, signed jar's whose signing certificate had expired would no longer be valid or usable.
With Java 5 SE and greater, signed jar's whose signing certificate expires will continue to work. The expired certificate, however, can not be used to sign any further jar's.
From Oracle's docs: Java SE 8 Documentation > Signature Timestamp Support:
Prior to J2SE 5.0, the signature generated by
jarsignercontained no information about when the signature was generated. With no other information available, systems/deployers (including users of the Java Plug-in) often based their validity assessment of a signed JAR file on the validity of the signing certificate. When the signing certificate expires, systems/deployers conclude that the signature, and hence, the JAR file, has expired. Because signing certificates typically expire annually, this caused customers significant problems by forcing them to re-sign deployed JAR files annually.Starting in J2SE 5.0,
jarsignercan generate signatures that include a timestamp, thus enabling systems/deployer (including Java Plug-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs were added in J2SE 5.0 to allow applications to obtain the timestamp information.