How to Avoid Code Signing Certificate Expired Issues

Code signing certificates expire, your digital signature doesn’t have to

A Code Signing certificate, like an SSL certificate, is only good for a set period of time. Afterwards it expires and can no longer be used. But that creates a potential problem: what happens to all the software you signed before the certificate expired? Are all of those digital signatures expired now too? Not if you timestamped them. Timestamping is a mechanism that ensures your digital signature remains trusted long after your Code Signing certificate has expired.

Why do Code Signing certificates expire?

1. Before a Code Signing certificate is issued – to an organization or an individual – Comodo needs to perform validation. This process verifies your identity and makes sure that you’re a legitimate developer. In order to stay on top of that validation, you need to check in every couple of years to make sure Comodo knows you’re still active and still trustworthy. After all, the browsers and antivirus programs that serve as web filters don’t trust you specifically- they trust Comodo, who is vouching for you. This way helps everyone stay more secure.
2. Imagine for a second that Code Signing certificates didn’t expire, once a software company gets one it’s good for ever. Now imagine that company goes out of business. What happens to the certificate? If it falls into the wrong hands it can be used to impersonate the company and fool internet users into downloading bad software. That’s a huge risk. One that can be mitigated by giving each Code Signing certificate a set validity period.

Fortunately, there’s a way to make sure your signed software executable will still be completely valid, even after your code signing certificate expires – timestamping.

What is Timestamping?

When you apply a digital signature to your software, a customer’s computer is going to check your digital signature before installing the software.

Normally, if there is no timestamp the system will check the certificate expiration date against the current date. However, if you apply a timestamp (a digital record of when the signature was applied) your customers’ computers will be able to see that the software was signed while the certificate was still valid and the download will proceed as planned.

How do I timestamp my software?

Timestamping is supported by a variety of software development tools, including Microsoft SignTool and Visual Studio. Before you sign your executable, the software you’re using to apply the signature will check Comodo’s Time Stamping server for the current date and time and timestamp your signed file.

Once the program is signed, no matter when it’s used (even if your code signing certificate has expired), the signature will be viewed as valid. Timestamping might add an extra step to the process, but it’s definitely worth taking the time to do it. It will save you a huge headache in the long run and avoid any code signing certificate expired issues in the future.