Why a Digital Signature Timestamp is Always Required

Written by Radu Popescu · February 17th, 2021 · 5min read

With the experience of unfortunate security breaches in recent years, the focus of making safe and reliable applications has increased in the software industry. This is why adding a digital signature to your application has become a must -- and for MSIX applications it is mandatory.

NoteYou can read more about MSIX mandatory digital signing in our MSIX Digital Signing article.

I recommend adding in your process the use of a Certified Authority or an “in-house” certificate, and within that, incorporate "Timestamping". This helps to strengthen your application's trust.

In this article, we will be focusing on the timestamping aspect of this digital signing process.

What is Timestamping?

When it comes to digital signatures, timestamping refers to the process of including an electronic timestamp to your signature to possibly extend the validity of the signing certificate.

So, if your certificate includes a timestamp, it will validate the certificate by checking the signature against the time when it was signed, and not the time when you're running the software. And if it doesn't, and your certificate is expired, then not having a digital signature timestamp will essentially block your application's use.

How does Timestamping work?

Process validation certificate
The validation process of a certificate

First, let's describe the process of using a certificate: Normally, individuals or organizations reach out to Certified Authorities to issue digital certificates that will be recognized by the majority of Operation Systems (OS).

These certificates have an expiration date which means that when that day arrives, they need to be renewed.

A key aspect that is often neglected during the digital signing process is: timestamping.

And as we mentioned above, by timestamping your application, the electronic signature of your software is preserved -- which allows you to run and install the application even if the certificate provided by the CA has expired.

How? During the signature evaluation step, a timestamp works as a way to preserve the validity of your certificate, even if it has expired. Because, the timestamp proves that at the time the application was released, the digital certificate was valid.

However, if your application is digitally signed but doesn't include a timestamp -- then when the digital certificate expires, the signature will be compared to the current time (instead of when it was signed) and the certificate validation will fail, preventing users from using it.

What Happens If You Do Not Add a Digital Signature Timestamp?

Let's imagine that your application is critical to the productivity of a global company -- and it is used worldwide by many users.

If you omit to timestamp your digital signature certificate, and the certificate expires - the application will stop working for them, causing a big downtime. That means that unless you previously set up a reminder of the expiration date and you renew the application certificate right away, you have a huge problem in your hands. Fixing it will also involve a lot of extra effort, so it’s better to prepare ahead instead of having to “put out the fire”.

Another scenario that we could avoid is what happens if the authority that issued the original certificate is dissolved and no longer exists. It turns out that even if the certificate is still valid and not expired, the validation process will compare the digital certificate to something that no longer exists on the OS at the current time.

If the digital signature certificate is not timestamped, then this will result in a non-functional software. Regardless if the Certified Authority exists or not, it will compare the information about the timestamp and the application will continue to run.

How to add a Timestamp to Your Digital Signature With Advanced Installer

Add digital timestamp

Adding a Timestamp to your package using Advanced Installer is simple.

  1. Go to the Digital Signature page.
  2. Set up the certificate according to your criteria (e.g. signing tool and the type of certificate you are using).
  3. Then, configure the Signature Properties accordingly using these two options:
    1. Timestamp service URL
      Which specifies the URL of the timestamp server. This URL points to a DLL located on a server that is used for this purpose. An example of this type of server is http://timestamp.digicert.com. This kind of URL is usually provided by the certifying authority that issued the certificate.
    2. Timestamp delay(ms)
      In this field, you can configure how many milliseconds Advanced Installer will wait between performing two consecutive signing operations.

You can try our support for digital signature timestamp for free through the Advanced Installer 30-day, full-featured Trial.

Conclusion

Using timestamping is helpful and saves you from a lot of headaches and extra effort if your certificate expires. Do not neglect it!

Make timestamping part of your application preparation process and you will reap the benefits of setting and forgetting, which will save you from a lot of trouble.

Have you used timestamping in your application signing process? Share more best practices with us!

Digital Signature Timestamp: FAQ

What is a signature timestamp?

A timestamp is an important mechanism to validate and confirm the legitimacy of digital signatures. This is done by storing the time and date when the file was signed as proof of the integrity of the signed code or application. By timestamping, the digital signature of your software is preserved even after the certificate expires, certifying the file was signed before the certificate expired.

How do I add a timestamp to a digital signature?

You can add a timestamp to your code with a tool like Advanced Installer. Go to the Digital Signature page, select the Software Publisher Certificate you want to be applied and then configure your Signature Properties by providing a description, the URL of the timestamp server and the timestamp delay in ms.

Do digital signatures have a date or expire?

A digital certificate provided by Certified Authorities can expire. But a digitally signed application maintains the validity of the certificate, even after its expiration, if the application was timestamped. So timestamping is the way through which an application signed with a certificate that has expired in the meantime can still have a valid signature, allowing you to run the signed software after that date.

Subscribe to Our Newsletter

Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.

Comments: