Understanding time stamping in code signing

Code signing certificates are usually valid for a defined period of time, commonly one year. Once expired, the certificate must be renewed. The reason behind this is the same reason why many online services require users to update their passwords at certain intervals—the longer the password is in use, the more likely it is to be compromised, either through theft or a brute-force attack. In a similar manner, the longer a software publisher uses a specific code signing certificate, the more time bad actors have to try to steal or brute-force the private key.

This poses a problem for code signing because a piece of signed code may be executed after the certificate used to sign the code has expired. If the certificate in the bundle is expired, then the code is considered untrusted.

The solution to this is time stamping. When code is signed, the signer can choose to use a time stamping service (based on RFC 3161) to add a time stamping service certificate to the digital signature. Time stamping certificates are generally valid for much longer periods of time than code signing certificates are. The time stamping certificate verifies that the code signing certificate used to sign the code was valid at the time the code was signed, even if the code signing certificate itself is now expired.

CodeSign Protect includes a time stamping service. For more information on time stamping certificates in Trust Protection Platform, see Overview of certificate types. For information on using the CodeSign Protect Time Stamp Service, see Using the CodeSign Protect Time Stamp Service.