SOLVED

About Code Signing and Timestamps

%3CLINGO-SUB%20id%3D%22lingo-sub-382906%22%20slang%3D%22en-US%22%3EAbout%20Code%20Signing%20and%20Timestamps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382906%22%20slang%3D%22en-US%22%3E%3CP%3ECode%20Singing%20certificates%20may%20include%20a%20url%20for%20a%20timestampling%20service.%26nbsp%3B%20This%20is%20known%20to%20be%20used%20by%20browsers%20when%20evaluating%20the%20certificate%2C%20and%20allows%20the%20following%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDeveloper%20signs%20the%20code%20installer%20with%20a%201%20year%20expiry%20and%20a%20timestamping%20URL%3C%2FLI%3E%0A%3CLI%3E2%20years%20later%20someone%20wants%20to%20use%20the%20file%20signed%20by%20this%20code.%20Without%20the%20timestamping%20URL%20this%20certificate%20would%20be%20considered%20expired.%26nbsp%3B%20With%20the%20URL%2C%20the%20timestamping%20service%20validates%20that%20the%20file%20was%20signed%20before%20the%20certificate%20expired%20and%20is%20considered%20good.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThere%20also%20exists%20an%20additional%20EKU%20called%20Lifetime%20Signing%20that%20is%20used%20in%20certain%20other%20situations%20to%20limit%20the%20lifetime.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20brings%20up%20three%20questions%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3BDoes%20AppInstaller%20also%20check%20the%20timestamping%20URL%3F%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BSince%20files%20inside%20the%20package%20may%20also%20be%20signed%20by%20this%20cert%2C%20does%20software%20checking%20against%20CodeIntegrity%20(Device%20Guard%20Application%20Guard%20comes%20to%20mind%20but%20there%20may%20be%20others)%20also%20check%20the%20timestamping%20URL%3F%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BDo%20these%20things%20accept%20Lifetime%20Signing%20EKUs%3F%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-396934%22%20slang%3D%22en-US%22%3ERe%3A%20About%20Code%20Signing%20and%20Timestamps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-396934%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149589%22%20target%3D%22_blank%22%3E%40Tim%20Mangan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20App%20Installer%20app%20doesn't%20deal%20with%20certs%20all%20that%20much.%20App%20Installer%20is%20a%20wrapper%20that%20calls%20the%20deployment%20platform%20APIs.%20And%20yes%2C%20Deployment%20Platform%20APIs%20do%20check%20the%20timestamping%20URL.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Yes%2C%20we%20check%20the%20timestamp%20if%20its%20there.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Yes%2C%20lifetime%20signing%20EKUs%20are%20accepted.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EChaitanya%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Code Singing certificates may include a url for a timestampling service.  This is known to be used by browsers when evaluating the certificate, and allows the following:

  • Developer signs the code installer with a 1 year expiry and a timestamping URL
  • 2 years later someone wants to use the file signed by this code. Without the timestamping URL this certificate would be considered expired.  With the URL, the timestamping service validates that the file was signed before the certificate expired and is considered good.

There also exists an additional EKU called Lifetime Signing that is used in certain other situations to limit the lifetime.

 

This brings up three questions:

  1.  Does AppInstaller also check the timestamping URL?
  2.  Since files inside the package may also be signed by this cert, does software checking against CodeIntegrity (Device Guard Application Guard comes to mind but there may be others) also check the timestamping URL?
  3.  Do these things accept Lifetime Signing EKUs?
1 Reply
best response confirmed by John Vintzel (Microsoft)
Solution

@Tim Mangan 

1. App Installer app doesn't deal with certs all that much. App Installer is a wrapper that calls the deployment platform APIs. And yes, Deployment Platform APIs do check the timestamping URL. 

2. Yes, we check the timestamp if its there. 

3. Yes, lifetime signing EKUs are accepted. 

 

Thanks,

Chaitanya