Sectigo Issues Service Alert for Java Developers Using Code Signing Time Stamping Service

Some Users of Time Stamping for Java Should Re-Sign Applications by July 9, 2019m to Avoid Potential Errors; Company Provides Detailed KnowledgeBase Article

ROSELAND, N.J. – May 8, 2019 – Sectigo, the world’s largest commercial Certificate Authority and a leader in web security solutions, has advised customers using its Code Signing certificates to time stamp Java applications about an upcoming certificate expiration. Left unaddressed in the coming months, the expiration could result in error messages or performance gaps with signed Java applications, depending on the production environment.

To prevent any potential performance gaps, Sectigo strongly advises customers using its time stamping service to re-sign Java code between now and July 9, 2019. Sectigo has provided a detailed guide that developers can use to determine if their time-stamped Java applications require re-signature.

Time Stamping Overview

Time-Stamp Protocol (TSP), defined by RFC 3161, is used to prove the point in time at which an object (such as a software executable) existed and was signed. Time stamping and digitally signing a digital file can:

• Establish the point in time at which the file existed and was digitally signed
• Prove that the digital certificate used to sign the item was valid at that point in time
• Be assured of the identity of the entity (organization or person) that signed the item for purposes of non-repudiation
• Guarantee that data has not changed since that point in time

A trusted time stamping/code signing combination is an integral part of secure software distribution processes. By including time-stamping when digitally signing a piece of software, the developer implements Long-Term Validation (LTV) of the digital signature. The validity of a time stamping service is bound to the validity period of its server certificate. Some time stamps issued through timestamp.comodoca.com TSA use a time stamping certificate that expires July 9th, 2019.

Affected Java Code

Java code signed with the Comodo/Sectigo time stamping service at timestamp.comodo.com may be affected if it was signed with the time stamping certificate that expires on July 9, 2019. Depending on the organization’s runtime environment, such Java applications could begin experiencing performance issues on either July 9, 2019 or the day the code signing certificate used to sign the code expires (whichever date is later).

Not affected are:

• Signed code running on all operating systems other than Java, including Windows,
• All code signed after March 4, 2019 by Sectigo or Comodo Code Signing certificates, regardless of the Code Signing certificate expiration date or the operating system.

Recommended Response

To ensure continued correct performance, developers should re-sign and deploy all affected Java code prior to July 9, 2019.

Developers may use the previously employed Code Signing certificate for the new signing event or a subsequently obtained Code Signing certificate (including renewal or replacement certificates). There is no need to replace the Code Signing certificate prior to re-signing Java code.

The Sectigo KnowledgeBase Article, “Addressing timestamp.comodoca.com TSA Certificate Expiration,” provides answers to likely questions and detailed instructions to determine the expiration dates of time stamping and code signing certificates used by Java developers.

Support

For help with expired Code Signing certificates, customers may also contact Sectigo at https://sectigo.com/support.

About Sectigo

Sectigo (formerly Comodo CA) provides web security products that help customers protect, monitor, recover, and manage their web presence and connected devices. As the largest commercial Certificate Authority trusted by enterprises globally for more than 20 years, and more than 100 million SSL certificates issued in over 200 countries, Sectigo has the proven performance and experience to meet the growing needs of securing today’s digital landscape.