How Can I Prevent Needing to Re-sign My Code Every 1 or 2 Years?
Asked Answered
A

3

13

I was reading What happens when a code signing certificate expires - Stack Overflow and wondering about a more solid answer. The answer provided was more about setting up your own CA. Even with your own CA you will still need to deal with expiring code certificates.

If you signed the code without using a time stamping service, after the certificate expires your code will no longer be trusted, and depending on security settings it may not be allowed to run. You will need to re-sign all of your code with a new certificate, or with a renewed certificate, every 1 or 2 years.

Trusted (digital) timestamping allows the digital signature to be valid even after the certificate itself has expired. You would need to re-sign code with the new certificate only if you have made changes.

Does this all sound correct? If so, I need recommendations on what timestamping service to use, preferably from someone who has actually used one. I'd also like to know if there are any in-house solutions, similar to being your own CA.

Right now this applies to PowerShell scripts, but I will eventually have the same issue with other code.

Update: Sample of how to sign a PS script with a timestamp (you can make a script for this):

Set-AuthenticodeSignature -filepath "D:\Projects\A Sample\MyFile.ps1" 
  -cert gci cert:\CurrentUser\My -codesigning 
  | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"}
  -IncludeChain All 
  -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

Then, to see the Signer Certificate and TimeStamper Certificate, you can do this:

Get-AuthenticodeSignature MyFile.ps1 | fl *

It gives you the Subject (CN, OU, etc.), Issuer, Before/After Dates, and Thumbprints for both your cert and the timestamper's cert. You also get a message indicating the status of the signature.

Anonym answered 26/5, 2009 at 21:52 Comment(0)
S
10

You're better off selecting one of the trusted certificate providers (Verisign, Thawte, Comodo, etc.). This allows you to sign your software without the user explicitly trusting your private root CA. We've used both Verisign and Thawte, Comodo even GoDaddy with timestamping without any issues with the software becoming invalid even years after the certificate expires.

Sugary answered 26/5, 2009 at 22:0 Comment(7)
With Verisign and Thawte did you also have timestamping? Without the timestamping wouldn't some systems complain about the cert being expired, and not run your code?Anonym
@Bratch: Yes you have to use their timestamp server. We never published without it so I can't comment on non-timestamped applications.Sugary
Incidentally, Comodo is the other preinstalled, globally trusted root provider, and has cheaper certs. I haven't messed with timestamping though.Sandhog
Of course, if this is for corporate work, and you have your own AD infrastructure, the story changes somewhat, because you may already need to manage your own CA. Note also that if you create your own CA, you don't have to be limited to 1-2 year periods anyway.Sandhog
@Jaykul: Yep...forgot about that one. We've used them as well with success. I'll add to response.Sugary
@Jaykul: Most (not all) of our work is for the corporate network with our own AD, and our own CA, but the certificates still expire. Are you saying that with our own CA I can get the administrator to approve certs for me that expire after I retire? Or we could use something like 5 or 10 years, which would reduce the frequency that I have to re-sign our entire code base.Anonym
Even for corporate work I vote for using a trusted provider. They already have the infrastructure and knowhow to manage the certificate store so you don't have to worry about it. Certs are much cheaper now and the cost of the cert will be far less than the cost of having someone on staff to manage it.Sugary
W
9

Time stamping is a free service -- it's really only a trusted provider verifying that you signed the file at a given time. Verisign's timestamp service is the standard one. The final example in the help for Set-AuthenticodeSignature demonstrates how to use it.

Lee Holmes [MSFT] Windows PowerShell Development Microsoft Corporation

Warrantor answered 27/5, 2009 at 22:3 Comment(1)
Yep, there it is in Example 3, the -TimeStampServer parameter. Now all I need to do is select one, and find out if I can use it with an internal CA. I may need to do what Paul Alexander suggested above and get an external one. At least that way I know the timestamping service will work with my certificate.Anonym
F
-1

You can't really escape having to resign code eventually. The advantage to running your own CA is that you could choose to issue your code-signing certs with longer lifetimes than the default, thereby allowing you to wait longer before having to resign anything. The downside is of course having another service or server (your CA) to deal with.

Flagstaff answered 30/4, 2013 at 16:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.