The JAR files of Spectrum OneClick are signed with a certificate which is still valid for a long time (until 2024-07-22), but the signer certificate already expired on January 8th this year:
>>> Signer
X.509, CN=CA INC, OU=78615, O=CA INC, L=Islandia, ST=New York, C=US
[certificate is valid from 1/8/19 1:00 AM to 1/8/22 12:59 AM]
 
All jar files under $SPECROOT/tomcat/webapps/spectrum/lib/ are affected.
 
Here is the detailed output of jarsigner:
 
----->
spectrum/Java/bin/jarsigner -certs -verbose -verify /spectrum/tomcat/webapps/spectrum/lib/oneclickclient.jar
 
s        313 Thu Nov 12 01:25:46 CET 2020 META-INF/MANIFEST.MF
 
      >>> Signer
      X.509, CN=CA INC, OU=78615, O=CA INC, L=Islandia, ST=New York, C=US
      [certificate is valid from 1/8/19 1:00 AM to 1/8/22 12:59 AM]
      X.509, CN=Symantec Class 3 SHA256 Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 7/22/14 2:00 AM to 7/22/24 1:59 AM]
      X.509, CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [trusted certificate]
      >>> TSA
      X.509, CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 12/23/17 1:00 AM to 3/23/29 12:59 AM]
      X.509, CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 1/12/16 1:00 AM to 1/12/31 12:59 AM]
 
         366 Thu Nov 12 01:25:46 CET 2020 META-INF/CACERTS.SF
        7986 Thu Nov 12 01:25:46 CET 2020 META-INF/CACERTS.RSA
           0 Thu Nov 12 01:25:46 CET 2020 META-INF/
           0 Thu Nov 12 00:55:52 CET 2020 com/
           0 Thu Nov 12 00:55:52 CET 2020 com/aprisma/
           0 Thu Nov 12 00:55:52 CET 2020 com/aprisma/spectrum/
           0 Thu Nov 12 00:55:52 CET 2020 com/aprisma/spectrum/signature/
           0 Thu Nov 12 01:25:46 CET 2020 com/aprisma/spectrum/signature/oneclickclient/
sm       506 Thu Nov 12 01:25:46 CET 2020 com/aprisma/spectrum/signature/oneclickclient/oneclickclient.class
 
       [entry was signed on 11/12/20 7:25 AM]
      >>> Signer
      X.509, CN=CA INC, OU=78615, O=CA INC, L=Islandia, ST=New York, C=US
      [certificate is valid from 1/8/19 1:00 AM to 1/8/22 12:59 AM]
      X.509, CN=Symantec Class 3 SHA256 Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 7/22/14 2:00 AM to 7/22/24 1:59 AM]
      X.509, CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [trusted certificate]
      >>> TSA
      X.509, CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 12/23/17 1:00 AM to 3/23/29 12:59 AM]
      X.509, CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 1/12/16 1:00 AM to 1/12/31 12:59 AM]
 
 
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
 
- Signed by "CN=CA INC, OU=78615, O=CA INC, L=Islandia, ST=New York, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Thu Nov 12 06:25:46 UTC 2020
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key
 
jar verified.
 
The signer certificate expired on 2022-01-08. However, the JAR will be valid until the timestamp expires on 2029-03-23.
<-------
 
Spectrum OneClick is still starting because of the timestamping of the jars

Release : 20.2.5

Component : Spectrum OneClick

Expiration of the JAR signer Certificate

Engineering has confirmed that the signer of the certs expiring is not a true security violation because the JARs are time stamped before the JAR signing of the Certificate has expired. They have also mentioned that the signer cert has been updated in 21.2.1 and higher release.