What happens to signed code when the code signing certificate expires? In many cases, an expired certificate means that the signature validation will fail and a trust warning will appear in the browser.
Time-stamping was designed to alleviate this problem. The idea is that at the time, at which the code is signed, the certificate was confirmed to be valid and, therefore, the signature is valid. This is much the same as a handwritten signature.
The main benefit is that it extends code trust beyond the validity period of the certificate. The code stays good as long as you can run it. Also, down the road the certificate may be revoked and the code will still be trusted.
Time-stamping the signature is implemented as follows:
Upon receipt of a time-stamped signature, the following is done for verification:
In the event that the code-signing certificate must be revoked due to a compromise, the revocation will be made depended on a specific date. The idea is to choose a date that was before the compromise took place. This means that signatures with time-stamps before the revocation date will remain to be valid.
Entrust operates the following time-stamp authorities:
This is the sixth post in our code-signing. Check out the full list to read past entries and see what’s upcoming.