Digital Signing: Why You Should Always Include A Timestamp

Written by Radu Popescu · February 17th, 2021

With the experience of unfortunate security breaches in recent years, the focus of making safe and reliable applications has increased in the software industry. This is why adding a digital signature to your application has become a must -- and for MSIX applications it is mandatory.

NoteYou can read more about MSIX mandatory digital signing in our MSIX Digital Signing article.

I recommend adding in your process the use of a Certified Authority or an “in-house” certificate, and within that, incorporate "Timestamping". This helps to strengthen your application's trust.

In this article, we will be focusing on the timestamping aspect of this process.

What is Timestamping?

When it comes to digital signatures, timestamping refers to the process of including an electronic timestamp to your signature to possibly extend the validity of the signing certificate.

So, if your certificate includes a timestamp, it will validate the certificate by checking the signature against the time when it was signed, and not the time when you're running the software. And if it doesn't, and your certificate is expired, then not having a timestamp will essentially block your application's use.

How does Timestamping work?

The validation process of a certificate
The validation process of a certificate

First, let's describe the process of using a certificate: Normally, individuals or organizations reach out to Certified Authorities to issue digital certificates that will be recognized by the majority of Operation Systems (OS).

These certificates have an expiration date which means that when that day arrives, they need to be renewed.

A key aspect that is often neglected during the digital signing process is: timestamping.

And as we mentioned above, by timestamping your application, the digital signature of your software is preserved -- which allows you to run and install the application even if the certificate provided by the CA has expired.

How? During the signature evaluation step, a timestamp works as a way to preserve the validity of your certificate, even if it has expired. Because, the timestamp proves that at the time the application was released, the digital certificate was valid.

However, if your application is digitally signed but doesn't include a timestamp -- then when the digital certificate expires, the signature will be compared to the current time (instead of when it was signed) and the certificate validation will fail, preventing users from using it.

What Happens If You Do Not Add a Timestamp in your Digital Signature?

Let's imagine that your application is critical to the productivity of a global company -- and it is used worldwide by many users.

If you omit to timestamp your digital signature certificate, and the certificate expires - the application will stop working for them, causing a big downtime. That means that unless you previously set up a reminder of the expiration date and you renew the application certificate right away, you have a huge problem in your hands. Fixing it will also involve a lot of extra effort, so it’s better to prepare ahead instead of having to “put out the fire”.

Another scenario that we could avoid is what happens if the authority that issued the original certificate is dissolved and no longer exists. It turns out that even if the certificate is still valid and not expired, the validation process will compare the digital certificate to something that no longer exists on the OS at the current time.

If the digital signature certificate is not timestamped, then this will result in a non-functional software. Regardless if the Certified Authority exists or not, it will compare the information about the timestamp and the application will continue to run.

How to add a Timestamp to Your Digital Signature With Advanced Installer

Adding a Timestamp to your package using Advanced Installer is simple.

  1. Go to the Digital Signature page.
  2. Set up the certificate according to your criteria (e.g. signing tool and the type of certificate you are using).
  3. Then, configure the Signature Properties accordingly using these two options:
    1. Timestamp service URL
      Which specifies the URL of the timestamp server. This URL points to a DLL located on a server that is used for this purpose. An example of this type of server is http://timestamp.digicert.com. This kind of URL is usually provided by the certifying authority that issued the certificate.
    2. Timestamp delay(ms)
      In this field, you can configure how many milliseconds Advanced Installer will wait between performing two consecutive signing operations.

You can try our support for digital signature timestamp for free through the Advanced Installer 30-day, full-featured Trial.

Conclusion

Using timestamping is helpful and saves you from a lot of headaches and extra effort if your certificate expires. Do not neglect it!

Make timestamping part of your application preparation process and you will reap the benefits of setting and forgetting, which will save you from a lot of trouble.

Have you used timestamping in your application signing process? Share more best practices with us!

Comments: