How to verify that timestamping is done correctly for signed code

Asked 6/2, 2010 at 16:32 Answered 8/2, 2010 at 5:58

I have just got my code signing certificate from StartSSL and am trying to sign our installer.

The signing process goes well and I get an installer exe that Windows no longer complains about being from unknown publisher. This is great!

However I tried to make sure that the timestamping also works as advertised so I moved my PC date to 2012, after my code signing certificate expiration date.

This supposedly should not make any difference but when I run the same installer exe I now get the same nasty "unknown publisher" warning.

Looking at the properties of the exe in the Digital Signatures tab I can definitely see that the timestamp shows today (2010) but this does not seem to help at all.

Googling gave me nothing except that if you see the date in the Timestamp field then all is OK. I cannot believe this, my PC with advanced date complains that it is not OK.

Does anyone know if this timestamping concept works at all and how to make sure I am signing the executable correctly?

Thanks.

Poock answered 6/2, 2010 at 16:32 Comment(2)

"rem" seems to have the correct answer. You can read more about "Lifetime Signing Semantics" at download.microsoft.com/download/9/c/5/…. – Helgoland 15/2, 2010 at 23:41

Note Mark Berry's comment to rem's answer. It apparently depends upon which level of validation you have as to whether StartSSL supports timestamping. – Krahling 21/8, 2013 at 15:29

The code-signing certificates issued by StartSSL contain the enhanced key usage (EKU) attribute "Lifetime Signing" (1.3.6.1.4.1.311.10.3.13), which causes the file signatures to expire when the certificate expires, regardless of any timestamps.

Hickox answered 8/2, 2010 at 5:58 Comment(3)

According to this post in the official StartCom forum, which references this comparison chart, "time-stamping is supported for code signing certs in the Extended Validation level." So it sounds if you buy their highest-level validation (which is still comparatively inexpensive), this problem goes away. Kinda makes sense that they want a higher validation level for certs that don't expire. Caveat: haven't tested this myself. – Coloratura 21/6, 2012 at 6:13

Also note that “StartSSL™ Extended Validation certificates are currently restricted to corporations, business entities, government entities and other legally established organizations” — they are not available for individual developers. – Improbability 30/11, 2014 at 8:14

It looks like startcom/startssl changed this recently. I have an old certificate (now expired) which has this attribute, but I bought a new one a few days ago, which doesn't have it! In StartCom's forum is also a posting saying that. – Confraternity 1/11, 2016 at 11:21

Sorry, I don't have an answer for you, but it does look like you shouldn't be seeing the behavior that you are, according to Comodo's Instant SSL FAQ.

Is timestamped code valid after a Code Signing Certificate expires?
Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Comodo seems to be authoritative on this subject, so I'm inclined to believe what they say.

I'm anxiously waiting for the answer on this myself, because I'd very much like to purchase a code signing cert from StartSSL myself. I did notice on their site, that the code certs are 'beta' so maybe this is something they need to get the kinks worked out of.

Submarginal answered 6/2, 2010 at 21:30 Comment(1)

Same here for StartSSL - I think the OP should talk to their customer support and see what they have to say. – Dudleyduds 6/2, 2010 at 23:12

There is a difference between the "Signing Time" and the Timestamp from the "Stamping Signer". The Signing time is the time when you actually signed the code, when the timestamp is from the "stamping signer" (the certificate server).

Signing with the certificate issuer timestamp will actually make sure that your signature is still valid even if your certificate already expired.

Earthly answered 7/2, 2010 at 2:16 Comment(1)

Will Windows say the certificate has expired (which looks bad to users), or will Windows revert to the standard "unknown publisher" warning that one would usually get? – Arthromere 27/6, 2013 at 15:15

Recommended topics

Hot tags