Mar 22 2019 02:14 PM - edited Mar 22 2019 02:28 PM
Code Singing certificates may include a url for a timestampling service. This is known to be used by browsers when evaluating the certificate, and allows the following:
There also exists an additional EKU called Lifetime Signing that is used in certain other situations to limit the lifetime.
This brings up three questions:
Apr 04 2019 02:51 PM - edited Apr 04 2019 03:14 PM
Solution1. App Installer app doesn't deal with certs all that much. App Installer is a wrapper that calls the deployment platform APIs. And yes, Deployment Platform APIs do check the timestamping URL.
2. Yes, we check the timestamp if its there.
3. Yes, lifetime signing EKUs are accepted.
Thanks,
Chaitanya
Apr 04 2019 02:51 PM - edited Apr 04 2019 03:14 PM
Solution1. App Installer app doesn't deal with certs all that much. App Installer is a wrapper that calls the deployment platform APIs. And yes, Deployment Platform APIs do check the timestamping URL.
2. Yes, we check the timestamp if its there.
3. Yes, lifetime signing EKUs are accepted.
Thanks,
Chaitanya