Code signing provides proof of the integrity of executable files, ensuring that they have not been modified or corrupted. Many modern operating systems require code signing mechanisms to protect their users from software code from unknown sources or without guarantees of authenticity. Similar to HTTPS, trusted certificates created by certificate authorities are issued to software developers, who use the certificates to sign software codes. The code signature with time stamp added, after the code signing certificate expires, the digital signature can still be effectively identified.
Why are timestamps added to code signing?
One of the most important parts of code signing is the timestamp, which is part of the signing process. The code signature with time stamp added, after the code signing certificate expires, the digital signature can still be effectively identified.
If software stops working due to an expired code signing certificate, consider the impact to users and how to fix it. Will you be able to push updates, or will this mechanism also break due to signature expiration? How much does it cost to develop and deploy a patch in an emergency? If your software stops working, will your users suffer their own business impact?
Because of the high impact of expired signatures, it is important to fully understand and document the code signing process, and to always time stamp software to keep digital signatures valid over time.
Timestamping is not only a best practice for continuous availability of software, but it also provides security benefits. If a certificate needs to be revoked due to key compromise, anything signed before the revocation date will continue to be valid and any new signatures will be invalid.
How do timestamps work?
Timestamping preserves signatures on software, allowing operating systems and other software to accept signatures after the code signing certificate has expired. When evaluating a signature, time stamping allows the validity of the signature to be checked against the time of the signature rather than the current time at which the software was executed.
If there is no timestamp, the signature will be evaluated against the current date. You may have distributed the software years ago, in which case your certificate will expire and the signature will no longer be valid. This will prevent users from running your software, and depending on the platform, there may be no way to circumvent this.
For example, the code signing certificate is valid throughout 2017 (January 1, 2017 to December 31, 2017), and you signed and timestamped the executable in November 2017. A user downloads an executable and runs it today, and instead of checking whether the code signing certificate is currently valid, they check the timestamp and evaluate whether it was valid in November. It sees that the certificate is valid at the time, and the signature is accepted.
Note that the signature on the executable is checked every time the user runs the executable. This means that if your certificate expires and doesn't have a time stamp, the software will suddenly stop working for all your users.
With most software, you distribute it to users and want it to work for as long as possible - this makes timestamping an important part of the signing process so your software continues to work for many years.
The timestamp itself is signed and protected by your CA, making it resistant to tampering or spoofing and cryptographically secure. Think of timestamps as subsignatures.
How to add timestamp during code signing process?
(1) Use a timestamp tool! Among many tools, such as WoSignCode code signing tool of WoSign, provides a convenient and visual interface for Windows platform code signing, and supports adding time stamps during the code signing process.
(2) Obtain the online timestamp service address. Purchasing a WoSign code signing certificate can provide a time stamp service website that supports Microsoft Authenticode technology and a time stamp service website that supports the international standard RFC3161, which is convenient for users to quickly sign code files and add time stamps.