Code Signing Time Stamping: What Is It and Why You Should Care?

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.80 out of 5)
Loading...
what is timestamping

Time Stamp Your Signed Software & Keep Your Signature Valid Even After an Expiry of Code Signing Certificate

If you’ve developed your software, or you’re a software development company who develops software, then it’s a no-brainer that you know how important user trust is when it comes to the success of software. If the user trusts your software, then they’ll download and install it. In addition, to make your software trustworthy, it’s essential that users don’t face any security warnings when downloading or installing.

So, to assure software users and prevent unwanted warnings during download and installation, you take the necessary step of code signing your software using the certificate offered by globally trusted certificate authorities.

Granted, code signing your software to make it appear trustworthy is vital, but there’s one more feature known as timestamping, which is optional, and you shouldn’t take it lightly. And, if you don’t timestamp your digital signature at the time of code signing your software, you may run into big trouble in the future.

Timestamping is an optional feature provided with the code signing certificate that allows software users and the system to recognize your digital signature even after your code signing certificate expires.

What Is Time Stamping?

Time Stamping is an optional feature given by certificate authorities like Sectigo and Comodo in Code Signing Certificate that preserves your digital signature once you code sign your software package. Due to time stamping authority, your digital signature remains valid, recognized & accepted by the operating system once your code signing certificate expires.

Once your signed software gets executed, the embedded signature gets verified. Henceforth, if the software is timestamped, the user’s computer will verify the signature based on the time you signed your software instead of the current time and date of the software got executed.

Further, if the software isn’t timestamped, its signature gets verified with the current time. So, if you have distributed your signed software a few months or years earlier and the code signing certificate you used to sign the software package may have expired. So, the signature might no longer be considered valid by the operating system, and your software will be seen as untrustworthy and treated similarly to unsigned software.

Let’s look at it the software which is signed and stamped

Suppose you purchased a comodo code signing certificate with a validity period of one year (1-1-2021 – 12-31-2021) and you code signed and time stamped your software in December 2021. Hence, if the user downloads your signed software in January 2022 and tries running, an error will be displayed if you don’t time stamp your software because the operating system will verify the signature based on the current time and date. Similarly, if you have time stamped your software, it’ll run smoothly without any error because time stamped software is verified against the time it’s signed.

Lastly, the time stamp is signed and secured by the CA (certificate authority), which prevents tampering or malicious activity. Similarly, it’s a free feature given with a code signing certificate by default by all the CAs.

A Look at the Technology Used Behind Code Signing Time Stamping

The TSA (Time Stamp Authority) offers a time stamp that uses various encryption and decryption methods based upon PKI (Public Key Infrastructure) technology for providing time stamps. In sectigo code signing certificate, time stamping helps sign the software program that helps verify the date & time the software package was signed. Time stamping is done with the help of a time stamping server through a URL such, as Sectigo and Comodo have their own time stamping server that their customers can use.

What is Time Stamping Server?

Whenever you code signed and time stamped your software package, its hash gets uploaded over the comodo timestamp server. And, then the time stamp server does the job such as:

  • Certifies whether the code signing certificate was valid at the time software got signed.
  • Signs the information with the help of its private key.
  • Returns timestamp along with the digital signature for attaching to the software file.
  • Records the date & time the signature was embedded.

Further, a client can time stamp the server’s signature for verification and trust the time stamp information.

What Are the Protocols of Time Stamp?

Generally, there are two protocols for software time stamping, and they’re:

Further, RFC-3161 is updated with RFC 5035, which also allows using ESSCertIDv2. Authenticode that’s useful for signing other file formats such as .exe, .cab, .dll and .ocx.

1. Enable Time Stamping Option in Code Signing Tool

Many code signing tools like Microsoft Sign Tool offers time stamping as an optional setting. So, ensure you know about the working of time stamping and which development tool you should use.

2 .Add Time Stamping as a Standard Process

Making time stamping as a priority and a needed part of your code signing certificate process is recommended, as it proves helpful. For instance, by time stamping your signed software, you can prevent unwanted warnings and errors when you release different software versions.

3. Document Entire Time Stamping Process

Time stamping requires extra commands & flags at the time of code signing software package along with the URL for getting the time stamp signature of the CA. And these steps can differ depending on the tool you use. Therefore, it’s recommended that you document all the steps, so the time stamping process becomes easier, especially for other team members who are doing it for the first time or don’t have enough experience.

When the Need Arises, You Can Revoke Your Code Signing Certificate

Time stamping allows the operating system to verify whether the signed software package is released before or after the revocation of a code signing certificate. Therefore, if you’ve time stamped your software package and you revoke your code signing certificate, your user won’t face any invalid signature error, and the signature on that software will remain valid. Because the time stamp verifies against the revocation date, and if your software package is signed and time stamped before the revocation of a code signing certificate occurred, the signature will be considered valid.

Ending Note for Digital Time Stamp

We hope this quick guide helps you understand how vital time stamping is despite code signing your software. All in all, time stamps assure that your digital signature is secure, trustworthy, and valid, even after your code signing certificate expires or is revoked. Lastly, we’ve also mentioned some of the recommended time stamp practices you should follow during code signing and time stamping your software.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.