In today’s digital world, Software legitimacy and integrity are necessary for any software publisher and developer. Code Signing certificate assures software publishers by verifying software integrity as well as provides peace of mind to end users that they are installing legit software. Along with the Code Signing certificate, time stamping is also an inevitable feature, which adds an extra security layer. In this article, we will discuss the essentials of time stamping and its practices for software distribution.
What is Time Stamping?
Time stamping assures that the digital signature is valid even after the certificate has expired. Time stamping in a Code Signing certificate preserves a digital signature when a signed software runs on the user’s device. The user’s system verifies the digital signature on the base when it was originally signed. Timestamp records the time and date when a signature was applied. In case the software is not timestamped, the digital signature remains invalid, and users will face an ‘Unknown Publisher’ warning message. For time stamping, RFC 3161 and Microsoft Authenticode are protocols used in time stamping software.
Impact of Expired Code Signing:
- Once the Code Signing certificate is expired, no new updates can be applied and no code can be signed with that certificate. Users will not trust such digital signatures.
- In case the software is signed with timestamping, then the software code remains valid. However, the software signed before the expiry of a certificate remains valid under certain conditions.
Why Does Time Stamping Matter in Code Signing?
If a Code Sign certificate attached to the software is expired and a software publisher without a timestamp has published the software then, an end-user will face a warning about an untrusted digital signature. In this case, a software developer can update the package, but you cannot update the software that early users already downloaded.
– Signature Validity: Here, a timestamp allows an operating system to confirm that the software is signed when a Code Signing certificate was active. A timestamp ensures end users that the code is valid even if a certificate is expired.
– Warning Messages: In the absence of timestamping, software alerts users about unsafe downloading of software. It means the signature attached to the software is not valid now. It, thus, harms the reputation of a software developer or publisher. It is to be noted that if a certificate is revoked due to a compromise of a private key, any software in early time before the revocation of a certificate will function normally.
Product Distribution:
Time stamp keeps warning away. As a result, the software distribution may increase, as users trust such software, apps, and drivers. Users know that the software is coming from an original source.
How Does Time Stamping is done?
Timestamping is performed by a Time Stamping Authority (TSA) using a simple yet effective process:
Code Signing
- A hash of the software is generated and sent to the TSA.
- The TSA records the hash along with the accurate date and time, signing it with its own private key.
- The TSA returns a timestamp token to the client.
- The client application attaches this timestamp token to the signed software.
- When the software is executed, the system verifies the timestamped signature against the TSA’s records, confirming its validity.
This process ensures long-term validity and trust in digitally signed software.
Key Practices to Follow for Effective Time Stamping:
Few good practices can keep your software always valid when you apply time stamping.
- When you use any sign tool like Microsoft Signtool, always keep the time stamp active.
- A timestamp avoids issues in future software versions. Therefore, it is wise to include it in the software development cycle.
- A developer or publisher should keep documents of signing tools. Different tools have different processes. In addition, everyone involved in the Code Signing process should have this document.
- Time stamping lets the system check if the software was signed before or after the certificate’s revocation. If keys are compromised, you can revoke a certificate. This will not invalidate the digital signature.
- Check if the operating system supports the modern encryption SHA-2 algorithm.
- You should update the signed software on time when a new version is released.
Best Trusted Code Signing Certificates with Timestamping Support
Choosing a well-known Certificate Authority (CA) for your code signing certificate helps keep your software trusted, even after the certificate expires. Here are the best options that offer timestamping, along with their prices and validation types:
| Certificate Name | Type | Price |
| Comodo Code Signing Certificate | OV | $226.10/yr |
| DigiCert Code Signing Certificate | OV | $380.00/yr |
| Sectigo EV Code Signing Certificate | EV | $296.65/yr |
Conclusion
Time stamping seems optional. Nevertheless, it is vital to your organization’s Code Signing ecosystem. Without time stamping, code signing certificates would expire or be revoked, which would hurt customers’ trust in the software. Timestamping ensure that, even if certificates expire, their signatures continue as safe and trusted. As a developer or software publisher, you should follow the above practices. They will ensure a smooth, secure experience for end users.
