Rate this article: (6 votes, average: 3.67)
Loading...
Let’s talk about a code signing timestamp. Code signing is a requirement on most platforms nowadays. Whether you’re creating apps for Android and iOS or traditional software on a platform like Microsoft Windows — it needs to be signed by a certificate authority (CA) in order to be trusted. But code signing certificates expire in a set amount of time. Normally, that would render any signature that’s made by that certificate expired along with the certificate itself.
But that’s not the case with timestamping.
If you’re not sure “what does timestamp mean,” we’ll break it down. A timestamp is a small data strand that gets included along with the signature when a script or executable is signed. When a client sees the signature along with the timestamp, it simply checks to ensure the signature was made at a time when the certificate was still valid. As long as a timestamp is valid, the signature will be good in perpetuity.
When a piece of software is signed, the process works like this:
When the client receives the software, the code signing certificate is presented along with it. The client uses the public key to decrypt the signature, then it performs the same hash function on the software to make sure the digest it produces matches the value that was signed. If both of these things check out, the client trusts the software. If not, an error message is issued.
Right between steps one and two. Once the software is hashed, and before the signature is added, the server making the signature performs a call to a designated timestamping server. Most certificate authorities run their own, but there are also public timestamping servers, too. Whichever server you’ve configured will respond with a timestamp that’s included along with the hash value and the signature.
When the client receives the certificate, it checks the verified timestamp and then compares it to the validity dates on the certificate. So long as the signature was made while the code signing certificate was valid then the software will remain trusted — even once the certificate expires.
We entrust that we’ve answered your question about “what is a timestamp” concerning code signing certificates.
Have you already purchased your code signing certificate? If not, check out our selection of Comodo CA Code signing certificates to get the best prices.
Get Comodo Code Signing Certificates for up to 42% off and increase user and browser trust!
Shop Comodo Code Signing Certificates