What is a Timestamp in Code Signing? How Does Timestamping Work?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 3.67)
Loading...

Let’s talk about a code signing timestamp. Code signing is a requirement on most platforms nowadays. Whether you’re creating apps for Android and iOS or traditional software on a platform like Microsoft Windows — it needs to be signed by a certificate authority (CA) in order to be trusted. But code signing certificates expire in a set amount of time. Normally, that would render any signature that’s made by that certificate expired along with the certificate itself.

But that’s not the case with timestamping.

What is a Timestamp in Code Signing?

If you’re not sure “what does timestamp mean,” we’ll break it down. A timestamp is a small data strand that gets included along with the signature when a script or executable is signed. When a client sees the signature along with the timestamp, it simply checks to ensure the signature was made at a time when the certificate was still valid. As long as a timestamp is valid, the signature will be good in perpetuity.

How Does Timestamping Work?

When a piece of software is signed, the process works like this:

  • The software is hashed
  • The hash value is then signed/encrypted

When the client receives the software, the code signing certificate is presented along with it. The client uses the public key to decrypt the signature, then it performs the same hash function on the software to make sure the digest it produces matches the value that was signed. If both of these things check out, the client trusts the software. If not, an error message is issued.

Graphic: Code signing Visual Studio error

Ok, So Where Does Timestamping Fit In?

Right between steps one and two. Once the software is hashed, and before the signature is added, the server making the signature performs a call to a designated timestamping server. Most certificate authorities run their own, but there are also public timestamping servers, too. Whichever server you’ve configured will respond with a timestamp that’s included along with the hash value and the signature.

When the client receives the certificate, it checks the verified timestamp and then compares it to the validity dates on the certificate. So long as the signature was made while the code signing certificate was valid then the software will remain trusted — even once the certificate expires.

Final Thoughts

We entrust that we’ve answered your question about “what is a timestamp” concerning code signing certificates.

Have you already purchased your code signing certificate? If not, check out our selection of Comodo CA Code signing certificates to get the best prices.

Code Signing Certificates

Save Up to 42% on Comodo Code Signing Certificates

Get Comodo Code Signing Certificates for up to 42% off and increase user and browser trust!
Shop Comodo Code Signing Certificates