Java 1.5 introduced the concept of timestamping a webstart signature.
This is documented here: http://java.sun.com/j2se/1.5.0/docs/guide/security/time-of-signing.html
and mentioned here: http://java.sun.com/j2se/1.5.0/docs/guide/deployment/enhancements-1.5.0.html

These threads have some useful information about them. http://forums.sun.com/thread.jspa?threadID=744677 http://forums.sun.com/thread.jspa?threadID=5309004

Based on that forum though in practice it won't help. This is because the certificate for the TSA (time stamping authoring), needs to be in the user's computer's trusted cert list. So for this to work users would need to do an extra step to install this certificate.

The key issue is this line:
"The TSA's certificate must be available from the Plug-in's keystore or certificate stores when the Plug-in is validating a JAR file containing a signature timestamp. " from the first link above.

However it might be that the users of that forum did not setup their original signature correctly. It seems that if the -tsacert alias is used when signing the jar then the cert for the tsa is included in the code signing certificate. So hopefully in that case the client doesn't need to install anything. That means though that the certificate we get from verisign or where have to include this tsa cert.

As noted by the forums above, firefox includes a thawte timestamping CA. Looking at java certs on 10.4, this takes me to the system keychain with the certs. Looking at "X509Anchors" there is a timestamp cert listed as: "TC TrustCenter Time Stamping CA"
So possibly on macs we can sign our jars using this cert and they won't expire.