(2 votes, average: 4.50 out of 5)
If you’ve developed your software, or you’re a software development company who develops software, then it’s a no-brainer that you know how important user trust is when it comes to the success of software. If the user trusts your software, then they’ll download and install it. In addition, to make your software trustworthy, it’s essential that users don’t face any security warnings when downloading or installing.
So, to assure software users and prevent unwanted warnings during download and installation, you take the necessary step of code signing your software using the certificate offered by globally trusted certificate authorities.
Granted, code signing your software to make it appear trustworthy is vital, but there’s one more feature known as timestamping, which is optional, and you shouldn’t take it lightly. And, if you don’t timestamp your digital signature at the time of code signing your software, you may run into big trouble in the future.
Timestamping is an optional feature provided with the code signing certificate that allows software users and the system to recognize your digital signature even after your code signing certificate expires.
Time Stamping is an optional feature given by certificate authorities like Sectigo and Comodo in Code Signing Certificate that preserves your digital signature once you code sign your software package. Due to time stamping authority, your digital signature remains valid, recognized & accepted by the operating system once your code signing certificate expires.
Once your signed software gets executed, the embedded signature gets verified. Henceforth, if the software is timestamped, the user’s computer will verify the signature based on the time you signed your software instead of the current time and date of the software got executed.
Further, if the software isn’t timestamped, its signature gets verified with the current time. So, if you have distributed your signed software a few months or years earlier and the code signing certificate you used to sign the software package may have expired. So, the signature might no longer be considered valid by the operating system, and your software will be seen as untrustworthy and treated similarly to unsigned software.
Suppose you purchased a comodo code signing certificate with a validity period of one year (1-1-2021 – 12-31-2021) and you code signed and time stamped your software in December 2021. Hence, if the user downloads your signed software in January 2022 and tries running, an error will be displayed if you don’t time stamp your software because the operating system will verify the signature based on the current time and date. Similarly, if you have time stamped your software, it’ll run smoothly without any error because time stamped software is verified against the time it’s signed.
Lastly, the time stamp is signed and secured by the CA (certificate authority), which prevents tampering or malicious activity. Similarly, it’s a free feature given with a code signing certificate by default by all the CAs.
The TSA (Time Stamp Authority) offers a time stamp that uses various encryption and decryption methods based upon PKI (Public Key Infrastructure) technology for providing time stamps. In sectigo code signing certificate, time stamping helps sign the software program that helps verify the date & time the software package was signed. Time stamping is done with the help of a time stamping server through a URL such, as Sectigo and Comodo have their own time stamping server that their customers can use.
Whenever you code signed and time stamped your software package, its hash gets uploaded over the comodo timestamp server. And, then the time stamp server does the job such as:
Further, a client can time stamp the server’s signature for verification and trust the time stamp information.
Generally, there are two protocols for software time stamping, and they’re:
Further, RFC-3161 is updated with RFC 5035, which also allows using ESSCertIDv2. Authenticode that’s useful for signing other file formats such as .exe, .cab, .dll and .ocx.
Many code signing tools like Microsoft Sign Tool offers time stamping as an optional setting. So, ensure you know about the working of time stamping and which development tool you should use.
Making time stamping as a priority and a needed part of your code signing certificate process is recommended, as it proves helpful. For instance, by time stamping your signed software, you can prevent unwanted warnings and errors when you release different software versions.
Time stamping requires extra commands & flags at the time of code signing software package along with the URL for getting the time stamp signature of the CA. And these steps can differ depending on the tool you use. Therefore, it’s recommended that you document all the steps, so the time stamping process becomes easier, especially for other team members who are doing it for the first time or don’t have enough experience.
Time stamping allows the operating system to verify whether the signed software package is released before or after the revocation of a code signing certificate. Therefore, if you’ve time stamped your software package and you revoke your code signing certificate, your user won’t face any invalid signature error, and the signature on that software will remain valid. Because the time stamp verifies against the revocation date, and if your software package is signed and time stamped before the revocation of a code signing certificate occurred, the signature will be considered valid.
We hope this quick guide helps you understand how vital time stamping is despite code signing your software. All in all, time stamps assure that your digital signature is secure, trustworthy, and valid, even after your code signing certificate expires or is revoked. Lastly, we’ve also mentioned some of the recommended time stamp practices you should follow during code signing and time stamping your software.