search

whitesource / unified-agent-distribution

51 stars 48 forks source link

Certificate signed jar expired #46

Closed chrismelman closed 1 year ago

chrismelman commented 1 year ago

Currently our CICD pipelines is checking the signature on the code in the jar before running it. Using the following command:

jarsigner -verify -strict wss-unified-agent.jar

This currently fails since some of the content is signed by an expired certificate.

This is the feedback from the jarsigner

- Signed by "CN=whitesource software inc, O=whitesource software inc, STREET=79 Madison Ave, L=New York, ST=New York, OID.2.5.4.17=10016, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US" on Mon Dec 26 11:12:32 UTC 2022
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 4096-bit key

jar verified.

Warning:
This jar contains entries whose signer certificate has expired.

With additional information on the certificates used for signing:

      >>> Signer
      X.509, CN=whitesource software inc, O=whitesource software inc, STREET=79 Madison Ave, L=New York, ST=New York, OID.2.5.4.17=10016, C=US
      Signature algorithm: SHA256withRSA, 2048-bit key
      [certificate expired on 12/12/2022, 00:59]
      X.509, CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
      Signature algorithm: SHA384withRSA, 2048-bit key
      [certificate is valid from 02/11/2018, 01:00 to 01/01/2031, 00:59]
      X.509, CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [trusted certificate]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 21/09/2022, 02:00 to 22/11/2033, 00:59]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 23/03/2022, 01:00 to 23/03/2037, 00:59]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 01/08/2022, 02:00 to 10/11/2031, 00:59]
LenaKleyner commented 1 year ago

Hi @chrismelman, thank you for reporting this, and I apologize for the delay in responding. This issue has been resolved. Please let us know if you still encounter any problems with the jar verification.

Thanks,

Lena

chrismelman commented 1 year ago

@LenaKleyner I have downloaded the latest jar from the release and from https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar Both still have the same problem? Is there another source where is should check for the latest jar?

LenaKleyner commented 1 year ago

Please accept my apologies, the fix will be deployed on Sunday, in version 23.1.1 of the UA. I am sorry for the confusion.

chrismelman commented 1 year ago

Thanks for the fast response, I will try it next week.

chrismelman commented 1 year ago

Thanks, the new release can indeed be verified correctly. I will close the issue