How Can Software Publishers Deal With Expired Code Signing Certificate Issues?
How to Avoid Expired Code Signing Certificate Issues
Code Signing certificates have expiry dates. Just like how an SSL certificate protects your website only for a specific period of time, Code Signing certificates are also bound to do the same. While an expiring certificate can question the credibility of all the signed software programs, the good news is that your digital certificate’s expiry does not impact users if you have timestamped your software.
Before exploring the need for timestamping with digital signatures, let us understand why a code signing certificate expires or how to avoid expired code signing.
Code Signing Basics
A software publisher or developer can sign their work using a certificate issued by a trustworthy Certificate Authority, which is an authorized entity to issue a code signing certificate. This Certificate Authority verifies the legitimacy of the publisher and signs the required code signing certificate after validating specific requirements.
By doing this, Windows or the user’s antivirus program won’t pop up the ‘Unknown Publisher‘ error when trying to download your software.
Why Does a Code Signing Certificate Expire?
Suppose if your code signing certificate does not have a validity period, and your business shuts down due to unforeseen circumstances like the COVID-19 pandemic. The chances of your certificate slipping into the hands of online offenders are high. Then these offenders would be able to trick your customers into downloading malicious software using your valid code signing certificate.
That is the major reason why a code signing certificate has an expiry date in place – to ensure the utmost security, as well as keep up with the industry standards.
Note that an expired code signing certificate signifies that your signed piece of software or application will no longer be trusted by popular operating systems and antivirus programs. But timestamping ensures that your software maintains indefinite trust even after the code signing certificate lapses.
Let us look into how the timestamping process overcomes the code signing expiry issue.
What Is Timestamping?
The generic definition of Timestamp refers to a piece of information, usually the date and time, with which you can track a particular event.
Take an example of a rubber stamp, which stamps the current date and time on a document. Similarly, in digital terms, a code signing timestamp records and preserves the digital signature of your software code, which can be used to determine the validity of a downloaded certificate even if it expires in the future.
It is standard for a user’s computer to check your digital signature before downloading or installing a piece of software. This process usually happens by checking the expiry date against the current date in your system.
But if you timestamped your code, it means your digital signature is frozen, and the user can download and install the software at any time within the software’s lifespan without seeing the ‘Author Unknown‘ warning message.
Ways to Timestamp a Software Program
There is a variety of signing tools like the Visual Studio and Microsoft SignTool, with which you can timestamp your software codes. These tools will check your CA’s timestamping servers for the current date and proceed with the timestamping process.
Now your signed certificates are timestamped, meaning that your signature will still be valid even after the code signing certificate expires.
Since this timestamping process is all about trust, any data modified after the timestamping process makes the signature invalid.
Though timestamping might seem like an extra effort in the code signing process, it can make a huge impact. Only your code signing certificates expire, and not your digital signature! Most of all, it prevents the unpleasant ‘Publisher Unknown’ warning message while installing your software.
Hence it would be appropriate to say that the timestamping process can significantly enhance your customer experience.