Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is OWS ignoring the certificate chain of code-signing-certificates? #611

Open
AlBundy33 opened this issue Dec 20, 2024 · 0 comments
Open

is OWS ignoring the certificate chain of code-signing-certificates? #611

AlBundy33 opened this issue Dec 20, 2024 · 0 comments

Comments

@AlBundy33
Copy link

AlBundy33 commented Dec 20, 2024
edited
Loading

since our code-signing certificate expired this month (see #610) we bought a now one and signed our app with it.
But even we got our cert from a "real" root CA OWS complains about the certifiace.
image
image
image

same check as in the referenced issue but this time with a still valid cert:

jarsigner -verbose  -verify -certs org.ehcache_3.9.6.jar
....
sm       390 Tue Aug 24 21:34:48 CEST 2021 OSGI-INF/org.ehcache.impl.internal.store.disk.OffHeapDiskStoreProviderFactory.xml

      [entry was signed on 20.12.24 02:26]
      >>> Signer
      X.509, CN=...our certificate...
      [certificate is valid from 26.11.24 01:00 to 30.12.27 00:59]
      X.509, CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
      [certificate is valid from 22.03.21 01:00 to 22.03.36 00:59]
      X.509, CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
      [certificate is valid from 22.03.21 01:00 to 19.01.38 00:59]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2024, O=DigiCert, C=US
      [certificate is valid from 26.09.24 02:00 to 26.11.35 00:59]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      [certificate is valid from 23.03.22 01:00 to 23.03.37 00:59]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 01.08.22 02:00 to 10.11.31 00:59]


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "...our certificate..."
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 4096-bit key
  Timestamped by "CN=DigiCert Timestamp 2024, O=DigiCert, C=US" on Fr Dez 20 01:26:19 UTC 2024
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 4096-bit key

jar verified.

The signer certificate will expire on 2027-12-30.
The timestamp will expire on 2031-11-10.


unzip -p org.ehcache_3.9.6.jar META-INF/*.RSA | openssl pkcs7 -inform DER -noout -print_certs
subject=C = GB, O = Sectigo Limited, CN = Sectigo Public Code Signing CA R36

issuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Code Signing Root R46


subject=...our certificate...

issuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Code Signing CA R36


subject=C = GB, O = Sectigo Limited, CN = Sectigo Public Code Signing Root R46

issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
@AlBundy33 AlBundy33 changed the title is OWS ignoring the certificate chain? is OWS ignoring the certificate chain of code-signing-certificates? Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlBundy33