How does Time Stamping relate to a Code Signing Certificate?

Suppose Jim, a developer, purchases a Code Signing Certificate for his downloadable application Software. The code signing certificate helps by prompting his audience, that the software they are about to download is from a trusted source.

Unaware that the certificate expires a month later, a user, Bob, decides to download Jim’s software, and saves the .exe file on his desktop. Due to other commitments, he forgets about the file and a few months later realizes that he is yet to install it.

Frustration clouds Bob’s judgment as he unsuccessfully attempts to install the file before eventually abandoning the software.

So, what just happened? Well, chances are, Bob now has a lot to say regarding the software and moreover, losing a potential customer has left Jim back at square one.
Sigh! If only Jim had used a Timestamp, he could have dodged this situation.

So, what does a Timestamp mean and how does it affect a code signing certificate?

Well, in layman terms, Time Stamping is basically a method that acknowledges or notes the respective time of a particularly noteworthy moment. Think of it like a notary stamp. It’s a third-party verification that the signature was legitimate at the time it was made.

In this instance, a Code Signing Timestamp is a feature that helps freeze the digital signature of the code so that even if the code signing certificate expires in the future, the timestamp will reflect concrete proof that the software was valid during the time it was downloaded by the user. Moreover, if the user has already installed the software, even though the certificate had expired, the timestamp would allow the user to access the software but would struggle with updates however, giving the developer, ample time to re-issue the code signing certificate.

How does a Timestamp Work?

A Timestamp is initially provided by a certified Timestamp authority or a TSA. It is created by utilizing a series of encryption and decryption methods provided by Public Key Infrastructure Technology.

The purpose of a time stamp is not only to make a digital signature valid forever, but to extend the life of the signature, which is a lot more than the usual one to three years of the code signing certificate.

The process of obtaining a timestamp:

  • The company requesting the time stamp sends the TSA the hash value of their digital signature.
  • In order to create a digital hash that is integrated with information such as the data and time of the signature, the TSA makes use of the PKI Technology to apply timestamps.
  • The new hash, along with the company’s hash, is bundled up and sent to the company where it is verified by their application. Once done, the timestamp is valid.

It is important to note here that since the timestamp plays an integral role in maintaining the trust levels if the company tries to modify any data after the timestamp is issued, the signature would become invalid.

What is a Time Stamp Server?

Once you receive a valid timestamp certificate from the TSA, whenever you sign, a hash of your code is uploaded on the timestamp server. This helps in recording the date and time of your signature and also certifies that the code was working during the time it was digitally signed.

Timestamping Protocols:

Timestamping follows certain protocols, two of which are RFC 3161 and Microsoft Authenticode.

Recently the RFC 3161 was updated and defined as the RFC 5035, which additionally allows the use of ESSCertIDv2. Read more.

Authenticode, on the other hand, can be utilized in manifold formats such as cab, .exe, .ocx, and .dll. Know more.

Final Thoughts

The timestamp is an integral part of the code signing process and can be completely trusted as they verify their data via Universal Time Coordinated sources. It’s worth saying without a doubt that if time stamping were not there, certificates would expire leaving customers with extremely bad user experiences and increased product unreliability.

Timestamps make sure that even if certificates lose their validity or are revoked for some reason, their signatures remain valid, secure and trusted.

Buy Comodo EV Code Signing at $249 Per Year – 17% Off


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.