Resign Java code by expired Sectigo timestamping certificate

22 May 2019

The Sectigo timestamping certificate expires on July 9, 2019, and has been replaced. After this date Java-code signed with this certificate will cause warnings. These warnings can be resolved by signing and timestamping the code again.

What are the consequences?

The expiry of the timestamping certificate only has consequences for Java-code signed before March 4, 2019. This may lead to errors during downloading or executing the code after July 9, 2019. The errors can be resolved by signing the code again with a valid code signing certificate. This certificate automatically uses the renewed Sectigo timestamping certificate.

What is the cause of this?

Signing code captures the author of the code. The digital signature that is used for this has a maximum validaty of - currently - 3 years. To make sure the certificate stays controllable after the digital signature has expired, you can add a timestamp. The timestamp captures the signing time independently. This makes it possible to verify a digital signature in the long-term. A timestamping certificate has a validity of approximately 10 years, but does expire in time.