What is a Timestamp in Code Signing? How Does Timestamping Work?
What is a Timestamp in Code Signing? How Does Timestamping Work?
Rate this article: (6 votes, average: 3.67)
Loading...
Let’s talk about a code signing timestamp. Code signing
is a requirement on most platforms nowadays. Whether you’re creating apps for
Android and iOS or traditional software on a platform like Microsoft Windows —
it needs to be signed by a certificate authority (CA) in order to be trusted.
But code signing certificates
expire in a set amount of time. Normally, that would render any signature
that’s made by that certificate expired along with the certificate itself.
If you’re not sure “what does timestamp mean,” we’ll break it down. A timestamp is a small data strand that gets included along with the signature when a script or executable is signed. When a client sees the signature along with the timestamp, it simply checks to ensure the signature was made at a time when the certificate was still valid. As long as a timestamp is valid, the signature will be good in perpetuity.
How Does Timestamping Work?
When a piece of software is signed, the process works like
this:
The software is hashed
The hash value is then signed/encrypted
When the client receives the software, the code signing
certificate is presented along with it. The client uses the public key to
decrypt the signature, then it performs the same hash function on the software
to make sure the digest it produces matches the value that was signed. If both
of these things check out, the client trusts the software. If not, an error
message is issued.
Ok, So Where Does Timestamping Fit In?
Right between steps one and two. Once the software is
hashed, and before the signature is added, the server making the signature
performs a call to a designated timestamping server. Most certificate authorities
run their own, but there are also public timestamping servers, too. Whichever
server you’ve configured will respond with a timestamp that’s included along
with the hash value and the signature.
When the client receives the certificate, it checks the
verified timestamp and then compares it to the validity dates on the
certificate. So long as the signature was made while the code signing certificate
was valid then the software will remain trusted — even once the certificate
expires.
Final Thoughts
We entrust that we’ve answered your question about “what is
a timestamp” concerning code signing certificates.
Have you already purchased your code signing certificate? If not, check out our selection of Comodo CA Code signing certificates to get the best prices.
Save Up to 42% on Comodo Code Signing Certificates