Why Time Stamps for Code Signing Certificates Matters

If you haven't timestamped the signature while using code signing certificate for your software the signature will remain valid till the certificate is not expired. In other words, the signature remains valid, if the data has not tampered, none of the certificate is revoked in the chain, the root certificate is trusted, and the signing certificate is within the validity period. And, once the certificate expires, revoked or becomes invalid, the signature will be considered as invalid and trust warning will be displayed.

To eliminate such issues, timestamping is used. Timestamping in Code Signing Certificates helps in showing when the software file was signed. It's quite similar to signing your document in the presence of a notary. Here, Timestamping works as a notary witness to the identification of the signatory as well as the signing time.

What Is a Time Stamp?

A timestamp is like a declaration of a trusted source, called TSA (Timestamp Authority), which tells that the hashed digital signature was valid at the issuance time of timestamp. Due to this, Windows considers the signature to be valid even after the expiration of the certificate and invalid if the signature is not timestamped. If the certificate to be used for signing a software expires, the signature will not be considered valid.

Also, timestamping plays a role in the process of checking revoked certificates. If a digital signature were timestamped before the revocation of the certificate, the signature would be considered valid. So, timestamping allows a company to revoke a certificate and start signing with a new certificate without risking the invalidation of software applications that were signed earlier. Likewise, timestamps can be used for all Windows platforms if they are configured with the root certificates of the issuing CAs.

Time Stamping – How Does it Work?  

Timestamp Authority uses PKI (Public Key Infrastructure) technology for applying timestamps. Let’s see the steps for an overview,

• A unique hashed value is created and sent to the TSA by the client application for the file that needs to be timestamped.

• From this point, whenever any change occurs in the original file even for a bit of information, it will be communicated with the TSA server.

• Hash, authoritative time and other related information are combined by the TSA and signed by its private key to create a timestamp token that is then sent back to the client. Also, all the information needed by the client application for verifying the timestamp is contained in this timestamp token.

• Finally, the client application receives the timestamp token and record it within the code signature or the document.

Whenever the resulted timestamped file or data is opened, the client application will use the TSA's public key to validate that the timestamp is from a trusted TSA while recalculating the hash of original data. Likewise, the new hash is also compared to the unique hash, and if any difference is seen since the timestamp was applied, the hash check will not pass and will display a warning that data is altered and therefore, cannot be trusted.

Conclusion

Because timestamping is optional, it may seem like an unnecessary step. But, it's one of the essential processes that must not be skipped by any programmer during their software development process.