If you're a software publisher or developer, you know that the success of software often depends on the number of downloads, which in part depends on how much trust users place in it. So, to reassure users and avoid unnecessary warning messages when downloading or installing, you take proactive steps such as signing your code with a trusted code signing certificate. When you sign your code, if you don't use the timestamp option, you could run into some big problems months or years later.
In short, timestamping is an optional part of the signing process that allows users and software to identify whether an app's code signing signature is valid, even after the code signing certificate has expired.
Why are timestamps important?
Let's look at a real life scenario to understand the importance of code signing timestamps. Let's say you signed and released your software. Everything is fine until your code signing certificate expires after a year. Your installer now displays warnings about untrusted signatures. Of course, you can resign and republish the installer package, but you won't be able to update an installer already in cyberspace.
Or, let's take another example where code signing is used to validate software updates. What happens if an update is pushed, but the client doesn't install the update before the certificate expires. Will your software suddenly stop working due to an expired code signing certificate? Think about how much it will affect the users of your software and how you will be able to provide immediate help to it. Can you update the software, or will updates be interrupted by expired signatures? Also, what is the cost to develop and deploy this emergency patch? How much will the user's business be affected if the software doesn't work?
You might be thinking: These are all problems caused by expired code signing certificates. Yes, timestamps are the solution for such scenarios.
Timestamping also provides another benefit: if you have to revoke your code signing certificate due to something like a lost private key, this timestamp will save you by keeping all signed executables and packages working as long as they are being revoked Signed before date. However, any new signatures done after the certificate has been revoked will be considered invalid.
Let's provide some background on timestamping in the code signing process and look at some best practices you should follow to make sure you don't run into any issues with software signing.
What is a timestamp?
Timestamping is a feature reserved for package signatures. It allows the operating system and other client software to accept (sign) your software even after the code signing certificate has expired.
Whenever signed software is executed, its signature is verified, for example by the user's operating system. If you have time stamped your software, the user's computer will verify the signature against the time it was signed, not the current time the software was executed.
Of course, if the software does not have a timestamp, its signature is evaluated against the current time. You may have distributed signed software months or years ago, in which case the code signing certificate used to sign the package may have expired and the signature may no longer be considered valid. For example, the code signing certificate you used for signing is valid for the whole of 2019 (January 1, 2019 to December 31, 2019), and you signed and timestamped the software in November 2019. Now, the user downloads your signed package and tries to run it right away - without the timestamp, the user will get an error warning. Where a timestamp is added, the operating system will use the timestamp to evaluate whether the code signing certificate was valid at the time it was signed, not today's date when the signature was accepted. Additionally, the timestamp is signed and protected by a CA, which prevents tampering or any other malicious activity against the software code while maintaining security.
Techniques Used in Code Signing Timestamps
Timestamps are provided by a certified Timestamp Authority (TSA), which applies a verifiable timestamp using a series of encryption and decryption techniques based on PKI (Public Key Infrastructure) technology. In code signing, a timestamp is used to verify the date and time of the signature when the program is signed, and this is done using a timestamp server through a URL. Purchasing a WoSign code signing certificate can provide a time stamp service website that supports Microsoft's Authenticode technology and a time stamp service website that supports the international standard RFC3161. It is run by an authoritative CA organization and provided to code signing users.