我们的 Java 代码签名证书将在一个月内到期,我们刚刚使用 Verisign 对其进行了更新。我假设这足以避免我们的客户看到任何与证书相关的错误消息。
我们是否应该使用新证书再次签署 jar 并将其重新部署给客户端?
提前致谢
问问题
637 次
3 回答
2
Yes, you need to sign them again. The certificate itself will tell it's own expire date, and the certificate is deployed along with your package. It's an entirely new certificate you've got (even if the issuers often refer to it as a "renewal").
Installers and other verification software will usually not use the Internet to check the validity of the certificate. Instead, they will check the expire date in your certificate file (which is packed into the signed JAR file), and check the validity of the certificate by checking against the computes' built-in list of issuer certificates (CA). The only time the Internet is used in this process is to download a revocation list - a database of certificates revoked before their expiry date - but this will usually not be done in realtime, but on a scheduled basis.
于 2010-09-27T19:36:13.887 回答
2
正如与digicert支持团队讨论的那样
不,如果您在签名过程中使用了时间戳参数,则不会。
请注意这里的示例:https ://www.digicert.com/code-signing/java-code-signing-guide.htm#jarsigner
-tsa http://timestamp.digicert.com参数
这使得您的签名在可预见的未来有效。如果您使用时间戳,则无需续订和退出该特定文件
您只需要更新您的证书即可签署您创建的未来新 jar 文件
于 2016-08-23T05:49:15.803 回答
0
Yes. You have new signing certificates, and the versions currently deployed are signed with the old certificate, so it is like nothing changed for your users.
For your new certificate to be taken into account, you have to sign again your JAR files with the new certificate, and redeploy the new signed files to the clients.
于 2010-09-27T19:35:10.630 回答