How to verify that timestamping is done correctly for signed code

☆樱花仙子☆ 提交于 2019-12-04 01:23:56

The code-signing certificates issued by StartSSL contain the enhanced key usage (EKU) attribute "Lifetime Signing" (1.3.6.1.4.1.311.10.3.13), which causes the file signatures to expire when the certificate expires, regardless of any timestamps.

Sorry, I don't have an answer for you, but it does look like you shouldn't be seeing the behavior that you are, according to Comodo's Instant SSL FAQ.

Is timestamped code valid after a Code Signing Certificate expires?
Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Comodo seems to be authoritative on this subject, so I'm inclined to believe what they say.

I'm anxiously waiting for the answer on this myself, because I'd very much like to purchase a code signing cert from StartSSL myself. I did notice on their site, that the code certs are 'beta' so maybe this is something they need to get the kinks worked out of.

There is a difference between the "Signing Time" and the Timestamp from the "Stamping Signer". The Signing time is the time when you actually signed the code, when the timestamp is from the "stamping signer" (the certificate server).

Signing with the certificate issuer timestamp will actually make sure that your signature is still valid even if your certificate already expired.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!