Bug 34699 - [Xamarin.Android jarsigner]Warning: No -tsa or -tsacert is provided and this jar is not timestamped.
Summary: [Xamarin.Android jarsigner]Warning: No -tsa or -tsacert is provided and this ...
Status: RESOLVED DUPLICATE of bug 33687
Alias: None
Product: Android
Classification: Xamarin
Component: Tools and Addins ()
Version: 5.1
Hardware: PC Windows
: --- enhancement
Target Milestone: ---
Assignee: Jonathan Pryor
URL:
Depends on:
Blocks:
 
Reported: 2015-10-08 15:59 UTC by Jon Douglas [MSFT]
Modified: 2017-09-19 13:48 UTC (History)
5 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED DUPLICATE of bug 33687

Description Jon Douglas [MSFT] 2015-10-08 15:59:58 UTC
*Description

Java 1.7u51 introduced a new strict warning regarding timestamps which occurs when creating an .apk through Xamarin Studio / Visual Studio. This common warning can be ignored by most developers, but might have a potential fix for when invoking the jarsigner via one of the Xamarin.Android target files.

Error: Xamarin.Android.Common.targets: Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date {DATE} or after any future revocation date.

Fix: Ideally include a valid cert via the `-tsa` parameter passed to jarsigner:

Known Workarounds: 

1) Set a property group like so:

http://blog.ostebaronen.dk/2015/06/getting-rid-of-no-tsa-or-tsacert-is.html

<AndroidSigningKeyAlias>alias -tsa http://timestamp.digicert.com</AndroidSigningKeyAlias>

2) Provide the -tsa parameters to jarsigner when manually signing your .apk.

Forums: https://forums.xamarin.com/discussion/30955/what-is-this-warning-warning-no-tsa-or-tsacert-is-provided-and-this-jar-is-not-timestamped

*Version Information

Xamarin.Android 5.1.6.7
Xamarin Visual Studio 3.11.1450.0
Xamarin Studio(Mac) 5.9.7
Comment 1 Jonathan Pryor 2015-10-12 11:31:24 UTC

*** This bug has been marked as a duplicate of bug 33687 ***
Comment 2 Jared Kells 2015-12-08 00:51:01 UTC
This is marked resolved as a duplicate of 33687 but that bug is private so we can't see the details.

What's the current recommended workaround for this issue?
Comment 3 Jonathan Pryor 2015-12-17 21:18:13 UTC
> What's the current recommended workaround for this issue?

Cycle 7 will introduce a couple of new MSBuild properties which will allow working around the issue:

$(JarsignerTimestampAuthorityUrl): Provides the `jarsigner -tsa` parameter url.

$(JarsignerTimestampAuthorityCertificateAlias): Provides a `jarsigner -tsacert` parameter alias value.

For example, if you have a Timestamp Authority URL, you can update your .csproj to contain:

  <PropertyGroup>
    <JarsignerTimestampAuthorityUrl>
      http://example.com/my-cert-authority
    </JarsignerTimestampAuthorityUrl>
  </PropertyGroup>

We're also working on getting proper IDE settings for these new properties, but IDE support may not make it in time for cycle 7.

The problem with the above properties is that it'll require manual intervention: you will need to "somehow" determine what certificate authority URL or certificate alias to use, and update your project accordingly. (Even once there's IDE support to set those values, you still need to "somehow" know what values to use!)

We'd like to provide a nice default that doesn't require knowing WTF a "certificate authority" IS, but we haven't been able to figure out how to do that yet, or if it's even possible.
Comment 4 Miha Markic 2017-09-19 13:48:38 UTC
Jonathan's sample has a typo. It has to be in a single line otherwise jarsigner will complain (will take newlines I guess). The guy below works fine.

<PropertyGroup>    <JarsignerTimestampAuthorityUrl>http://timestamp.comodoca.com</JarsignerTimestampAuthorityUrl>
</PropertyGroup>