Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

MSIX timestamp url for self sign certificate

Copper Contributor

We have created a certificate for msix package using the link (https://learn.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing) so please let us know the timestamp URL which need to be used for the certificate created.

2 Replies

@chandru_bn THE FOLLOWING IS AN UNOFFICIAL RESPONCE, NOT NECESSARILY ENROCED BY MICROSOFT.  Microsoft is free to correct anything I say by replying. (This is just like any other reply I make on this forum, but want to be sure you know it for this answer!)

 

At this time Microsoft does not seem to provide a general publicly available Timestamping service.  Documentation for the Azure Code Signing Service, a service that is in Preview mode last I looked, indicates that the new service does have a timestamping service, however whether that will be publicly available to those not using the Azure Code Signing Service is to be seen.

 

Third Party vendors that supply public code signing certificates (AKA a Certificate Authority) generally have a publicly available service, and my experience has been that they don't seem to mind if non-customers make use of the service to sign packages with self-signed certs, as long as we all don't interfere with paying customers -- such as a DOS attack might cause.  Past behavior is no guarantee of future availability, but if they all stopped the world would clamor for a solution.

 

Each of those third parties will document their URL if you look for online support for their code signing services, so I shan't add one here.

 

Regards,

Tim

@chandru_bn PS: If you are creating a self-signed certificate, you can also achieve the effect you are looking for without using a timestamping service. When creating the certificate, you can specify an expiration date that is (let's say) 30 years into the future. As the timestamp is only valid for 30 years, it is kind-of the same. I'm not going to address whether or not it is wise to do this, as I'm pretty sure different security experts would differ on that..