[{"data":1,"prerenderedAt":77},["ShallowReactive",2],{"$kqlWeeHJeDHiL":3},{"code":4,"status":5,"result":6},200,"OK",{"blocks":7,"objectives":62,"title":71,"subheading":72,"intro":73,"related":74,"browser":75,"description":76},[8,15,20,24,28,33,37,42,46,50,54,58],{"content":9,"id":12,"isHidden":13,"type":14},{"level":10,"text":11},"h2","Timestamping Solves a Particular Problem","42de31d9-0084-4bad-ac6d-bce05f48d8ec",false,"heading",{"content":16,"id":18,"isHidden":13,"type":19},{"text":17},"\u003Cp>Much like any other X.509 certificate, \u003Ca href=\"/ssl-certificates/code-signing\">Code signing certificates\u003C/a> have a strictly defined validity period. After this period ends, the certificate is no longer considered active and thus necessitates a new signature. Without a timestamp, operating systems and security software treat any executable, whether previously signed or not, as unverified. This presents us with an obvious problem: not all software needs to be maintained forever, and its certification will therefore expire sooner or later.\u003C/p>\u003Cp>Software compiled years ago was signed with certificates that have certainly expired by now, and would \u003Ca href=\"/learning/code-signing/unknown-publisher-warnings\">trigger security warnings\u003C/a> even if the state of the code is no different from what it was on day one of its signing. The end result is that the developers are forced into a continuous cycle of re-signing old releases, while users face added friction.\u003C/p>\u003Cp>Timestamping solves both of these problems in advance. This is accomplished by creating a verifiable record of when the code was signed, thereby correlating the certificate’s validity with the code's trustworthiness at a particular point in time.\u003C/p>","c4f76edc-86f5-4af7-9fb9-4b090bf6a029","text",{"content":21,"id":23,"isHidden":13,"type":14},{"level":10,"text":22},"How Timestamping Works","dcc83c4d-08fb-4fd3-bd77-51ce65b44740",{"content":25,"id":27,"isHidden":13,"type":19},{"text":26},"\u003Cp>When a developer signs an executable, their preferred signing tool can submit the signature's cryptographic hash to a Timestamp Authority (TSA). The TSA is an independent and trusted service operated by some \u003Ca href=\"/learning/ssl/what-is-a-certificate-authority\">Certificate Authorities (CAs)\u003C/a>.\u003C/p>\u003Cp>The TSA receives the hash, checks its signing time against a reliable time source, and responds with a countersignature. The countersignature verifies the date and time the hash was received and is embedded in the signed binary alongside the original code signature.\u003C/p>\u003Cp>There is a standard in place to govern timestamping: \u003Ca href=\"https://www.ietf.org/rfc/rfc3161.txt\" target=\"_blank\">RFC 3161\u003C/a>, published by the Internet Engineering Task Force (IETF). RFC 3161 defines the format of timestamp requests and responses, guaranteeing interoperability between different vendors’ timestamp servers and signing tools.\u003C/p>\u003Cp>When a user installs or runs signed and timestamped software, the operating system verifies two separate things:\u003C/p>","d8251575-68e7-40cd-a483-0c61f8be047c",{"content":29,"id":31,"isHidden":13,"type":32},{"text":30},"\u003Cul>\u003Cli>\u003Cp>Code signature, confirming the binary has not been modified.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Timestamp countersignature, confirming the signature was applied while the certificate was still valid.\u003C/p>\u003C/li>\u003C/ul>","675eab8e-b632-47a4-8da2-cfda74bb2310","list",{"content":34,"id":36,"isHidden":13,"type":19},{"text":35},"\u003Cp>Both of these checks must pass for the software to be trusted, and this remains the case even after the original signing certificate expires.\u003C/p>","cca1da92-23cf-48e7-8988-2c17a5d8c120",{"content":38,"id":41,"isHidden":13,"type":14},{"level":39,"text":40},"h3","Trusted Timestamp Authorities","4968503c-1f3e-4b64-be95-1ed5c6b511e9",{"content":43,"id":45,"isHidden":13,"type":19},{"text":44},"\u003Cp>Major Certificate Authorities operate their own TSAs in most cases. Examples include \u003Ca href=\"/digicert-ssl\">DigiCert\u003C/a>, GlobalSign, and \u003Ca href=\"/sectigo\">Sectigo\u003C/a>. Both Microsoft’s signtool and Apple’s codesign utilities natively support RFC 3161 via a URL parameter provided at signing time, and the TSAs’ timestamp servers are publicly accessible, making the process largely plug-and-play.\u003C/p>","ca75692a-eb72-4592-beb8-2ed77a0c72d3",{"content":47,"id":49,"isHidden":13,"type":14},{"level":39,"text":48},"What Happens Without a Timestamp","0692912a-b153-44f1-899f-b95e4e34fe28",{"content":51,"id":53,"isHidden":13,"type":19},{"text":52},"\u003Cp>Binaries signed without timestamping lose their validity when the certificate used to sign them expires. After the certificate expires, operating systems and security software have no way of determining when the signing took place. As a result, the signature becomes unverifiable, and users start receiving \u003Ca href=\"/learning/code-signing/unknown-publisher-warnings\">warnings about unknown publishers\u003C/a>, though the specifics vary by platform.\u003C/p>\u003Cp>Software with long-tail distribution timelines suffers from this in particular, including utilities, embedded firmware, enterprise tools, and similar.\u003C/p>","78065d22-1494-4dd6-8354-7ec6f21a3055",{"content":55,"id":57,"isHidden":13,"type":14},{"level":10,"text":56},"To Summarize","14168228-8282-4e1d-99b7-cf52b7ea69ca",{"content":59,"id":61,"isHidden":13,"type":19},{"text":60},"\u003Cp>Timestamping is an essential part of proper code-signing workflows. It extends the trustworthiness of a signed binary far beyond the lifetime of the certificate that signed it, protecting developers and end users from disruptive verification failures in the long run. Applying an RFC 3161 timestamp when signing code is strongly recommended as a baseline development practice.\u003C/p>","e01d45c7-9bb4-463d-ae09-1cb88860f2b0",[63,65,67,69],{"text":64},"What a timestamp is.",{"text":66},"How Timestamp Authorities issue countersignatures",{"text":68},"Understand why timestamping matters",{"text":70},"Identify the governing standard for timestamping","What is Time-stamping?","How code signing certificates remain trusted after expiry.","When a code signing certificate expires, the software it signed does not automatically become untrustworthy as long as it was timestamped at the time of signing. Without timestamping, every signed executable would need to be re-signed as soon as its certificate expired, which is impractical if the software is intended to be used for years on end.",[],"","Time-stamping is required with code signing to keep that software valid and secure. Here we explain what it is and how it works.",1776831057351]