cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

About Code Signing and Timestamps

Tim Mangan
MVP

‎Mar 22 2019 02:14 PM - edited ‎Mar 22 2019 02:28 PM

‎Mar 22 2019 02:14 PM - edited ‎Mar 22 2019 02:28 PM

About Code Signing and Timestamps

Code Singing certificates may include a url for a timestampling service.  This is known to be used by browsers when evaluating the certificate, and allows the following:

  • Developer signs the code installer with a 1 year expiry and a timestamping URL
  • 2 years later someone wants to use the file signed by this code. Without the timestamping URL this certificate would be considered expired.  With the URL, the timestamping service validates that the file was signed before the certificate expired and is considered good.

There also exists an additional EKU called Lifetime Signing that is used in certain other situations to limit the lifetime.

 

This brings up three questions:

  1.  Does AppInstaller also check the timestamping URL?
  2.  Since files inside the package may also be signed by this cert, does software checking against CodeIntegrity (Device Guard Application Guard comes to mind but there may be others) also check the timestamping URL?
  3.  Do these things accept Lifetime Signing EKUs?
2,169 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by John Vintzel (Microsoft)
Chaitanya Donthini

‎Apr 04 2019 02:51 PM - edited ‎Apr 04 2019 03:14 PM

‎Apr 04 2019 02:51 PM - edited ‎Apr 04 2019 03:14 PM

Solution

Re: About Code Signing and Timestamps

@Tim Mangan 

1. App Installer app doesn't deal with certs all that much. App Installer is a wrapper that calls the deployment platform APIs. And yes, Deployment Platform APIs do check the timestamping URL. 

2. Yes, we check the timestamp if its there. 

3. Yes, lifetime signing EKUs are accepted. 

 

Thanks,

Chaitanya

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by John Vintzel (Microsoft)
Chaitanya Donthini

‎Apr 04 2019 02:51 PM - edited ‎Apr 04 2019 03:14 PM

‎Apr 04 2019 02:51 PM - edited ‎Apr 04 2019 03:14 PM

Solution

Re: About Code Signing and Timestamps

@Tim Mangan 

1. App Installer app doesn't deal with certs all that much. App Installer is a wrapper that calls the deployment platform APIs. And yes, Deployment Platform APIs do check the timestamping URL. 

2. Yes, we check the timestamp if its there. 

3. Yes, lifetime signing EKUs are accepted. 

 

Thanks,

Chaitanya

View solution in original post

0 Likes
Reply