Minecraft .jar files are signed with an expired certificate

Hey, I hope its going well,

The Minecraft .jar files (both client.jar and server.jar) are signed with an intermediate certificate (CN = Mojang) that is valid from April 5th 2012 → April 6th 2015 (almost exactly 10 years ago!). As the entries in the jar file have been signed after the certificate expires it makes it harder to trust the authenticity of the jar file.

The root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” was also temporarily revoked by Microsoft at the end of 2023, but subsequently reverted. Its not clear to me why it was revoked, I expect it was for good reason and likely reverted after it caused widespead issues.

The jar file could also be signed against a timestamping authority to provide proof that the jar was signed while the certificate was valid.

The validity of the jar file can be checked with jarsigner -verify -verbose -certs client.jar. I know this bug report does not affect vanillla gameplay or the regular user at all, but I believe it is imporant as we have seen increasingly complex supply chain attacks where purely downloading over HTTPS might not be good enough. Making it easy for 3rd party tools (or possiby even the vanilla launcher) to validate the integrity of the downloaded code that is going to be ran is an imporant to ensure the full chain of trust.

I have attached screenshots showing the certificate chain, and the expiray date. Please let me know if you need any more information.

Many thanks,

modmuss 🙂