Wednesday, July 11, 2012

Timestamp your digitally signed files

Authenticode / Digital Signing / Time-Stamping

It seems many developers, including me for a while, overlooked the necessity to time stamp their digitally signed files.

Why do this?

After your digital signature expires, unless you create a new build of your software, the digital signature is no longer consider valid on even the old build UNLESS you time stamp your modules.

How?

Fortunately, the process is easy - and you can even use ANY time stamping server. Since it requires a network callback, you'll need to create a batch file or something to handle errors, as they inevitably will happen from time to time (more for some time stamping servers than others).

Info: http://msdn.microsoft.com/enus/library/windows/desktop/bb931395(v=vs.85).aspx

Myself, using signtool and a PFX, it is a simple matter of using the /t argument with the time stamp server following, as the above page describes. Again, supposedly you can use time stamping servers of *other* Certificate Authorities than the one that issued your digital cert, though I personally have stayed with the one that issued my digital certificate. EDIT: I have tested this, and it *does* work fine. For example, you can use Versign's time stamping server with a Comdo certificate, or vice-versa.

Don't forget to do this -- else when your cert expires, so does your signed modules (and/or drivers!). I noticed the other day that an old install of some popular freeware I use suddenly quit working because the cert on its driver expired.

Once time stamped, even if your digital cert expires, that build of your software will continue to remain validly signed.

No comments:

Post a Comment