Timestamping in Code Signing

Timestamping in code signing involves adding a timestamp to the digital signature of a software application or code package. The timestamp is cryptographically incorporated into the digital signature itself, thus ensuring the long-term validity and trustworthiness of the code signature, even after the signing certificate has expired.

When code is signed, a digital signature is generated using the code signer's private key. This signature is based on the code's content and includes metadata about the signer and the signing certificate. However, digital certificates have a finite validity period, and they can be revoked if compromised or no longer considered trustworthy. Once a certificate expires or is revoked, the signature becomes invalid.

Benefits of timestamping:
  • Long-Term Validity: By including a timestamp in the code signature, the signature remains valid even after the code signer's certificate has expired or been revoked. The timestamp establishes the signing time while the certificate is still valid.
  • Non-Repudiation: The timestamp serves as proof that the code was signed at a specific time by a specific entity. This helps prevent the signer from denying their involvement in the signing process, providing non-repudiation of the signature.
  • Trust Across Time: End-users can trust the signature, knowing that it was valid at the time of signing, even if the signing certificate is no longer valid. This is especially important for the long-term archival of code or when verifying the authenticity of older, signed code.
  • Protection Against Time-Based Attacks: Including a timestamp helps protect against potential attacks aimed at exploiting vulnerabilities in code signatures that depend solely on certificate validity periods.
  • Certificate Expiration: Digital certificates used for code signing have a limited lifespan, typically ranging from one to three years. When a certificate expires, any code signed with that certificate may be considered invalid, leading to potential security issues and software functionality problems.
  • Trustworthiness: Timestamps are issued by trusted timestamp authorities, adding an additional layer of trust to the code signature.
  • Security Updates: Users can be confident that software updates or patches signed with an expired certificate are still valid if they have a valid timestamp.

Timestamping Process

The timestamping process for code signing includes the following steps:
  1. The code signer signs the code using their code signing certificate.
  2. The signer sends the code signature to a TSA for timestamping.
  3. The TSA generates a timestamp token, which includes the UTC time and date.
  4. The TSA's certificate signs the timestamp token.
  5. The timestamp token is added to the code's digital signature.
  6. The signed code, including the timestamp token, is distributed to users.

Timestamping Authorities Supported by AppViewX for Code Signing

  • GlobalSign
  • Symantec (now part of DigiCert)
  • Entrust
  • SwissSign
  • Comodo CA (now Sectigo)
  • DigiCert
  • IdenTrust
  • QuoVadis Global
  • GlobalSign Advanced.

If you need to use a timestamping authority other than those listed above, you should provide the specific URL or information related to that timestamping authority. This ensures that your code signing process is properly configured to use the required timestamping service. Be sure to consult with your organization's code signing policies and requirements when selecting a timestamping authority or specifying a custom URL.