Best Practices for Code Signing Time Stamping

What is Code Signing Time Stamping, and How Does it Work?

If you want to sign and timestamp your software securely, this guide provides an overview of best practices for code signing time stamping. Get started now!

If you have spent some time working in the software sector, you must have come across code signing. It’s one of those things that everyone knows but doesn’t comprehend how or what it does.

Although most people are mindful of this method, they may still need to learn some best practices to help them operate and use code-signing tools more effectively. This article will discuss various time stamping best practices in code signing that can help you save time and money and assist you in signing apps with legitimate certificates without making mistakes.

But first, let’s understand what time-stamping is and how it works:

See Also: Code Signing Best Practices for Software Developers

What is time-stamping?

Time-stamping is adding an authentication time stamp to a file or code. It is very useful to prove that an object was created at a particular time, even after the expiration of the Code Signing Certificate.

The user’s operating system verifies the digital signature of the executable of the signed software each time it is run or executed on any client computer or system. The software has a timestamp added by the user. Instead of using the system time when the software is completed, the user’s computer will verify the signature using the time it was digitally signed.

The software executing the signing will securely verify the time and date before using the Code Signing Certificate to sign the program. It achieves so by using a URL to communicate with a Time Stamping server.

However, as long as the executable was downloaded during the certificate’s validity period, it will not receive an “author unknown” indication after being Time Stamped, regardless of when it is utilized. Time Stamping is an additional and crucial step in the code-signing process.

How does timestamp Work?

We can use timestamping to verify that a file has not been modified after being signed by an authorized party. We often use Time stamping in authentication protocols, such as Transport Layer Security (TLS), where timestamps are attached to certificates to verify their validity and authenticity.

A time-stamping service is an online service that confirms the existence of data at a specific point in time. TSAs (Time Stamping or Certificate Authorities) use the Public Key Infrastructure (PKI) technology to apply timestamps. The key steps are outlined here at a high level.

• To uniquely identify the data or file that needs to be timestamped, the client application generates a hashed value and sends it to the TSA.
• Any modification to the original file, even by a single piece of information, will now require contact with the TSA server.
• The TSA combines the authoritative time with the hash and other data. The outcome is created into a timestamp token and delivered back to the client after being digitally signed using the TSA’s private key.
• The data the client application will require to verify that the timestamp is contained in the token.
• The client application receives the timestamp token registered in the document or digital code signature.

The client application will use the TSA’s public key to authenticate the TSA (i.e., confirm that the timestamp originated from a trusted TSA) and re-calculate a hash of the raw data whenever the time-stamped data or file is opened in the future.

What is a Time Stamping Server?

After running the code and documents, when you want to validate through a hashing algorithm, you use your private key to sign the hash, which creates a digital signature. The digital signature and the code-signing certificate are combined to form a signature block.

Programs such as Microsoft’s SignTool allow you to timestamp the signature block using the current date and time provided by a timestamping service provider such as CompanyName. The original code or document is then bound to the time-stamped signature block, which you can now publish for download on your website.

List of Time Stamping Protocol

The following are the generally used Protocols for Timestamping:

• RFC 3161: RFC 3161 has been updated numerous times and renamed to RFC 5035, allowing the usage of ESSCertIDv2 in addition.
• Microsoft Authenticode: We can use Microsoft Authenticode in different file formats, including cab, exe, ocx, and dll.

Why Time Stamping Matters

Time stamping is a way to verify the software’s development time. It can be helpful if you want recipients of your software to confirm when it was made and that it has not been tampered with since. Time stamps are also a good defense against malware, as they allow users to detect changes by hackers or viruses after installation.

Use a Trusted Timestamping Authority

In this case, “trusted” timestamping is useful. Local users cannot alter these timestamps because they are produced by a reputable third party using secure FIPS-compliant hardware. When a timestamp is trusted, you can assert with a high degree of assurance that the date is correct and no one has made changes.

The conditions a third party must satisfy to function as a Timestamping Authority are described in RFC 3161.

Trusted timestamps are applied using independently validated and auditable date and UTC (Coordinated Universal Time) sources. As a result, you can be certain of the time that a signature was applied because they cannot tamper with the way a local system clock may.

Best Practices for Time Stamping in Code Signing

Here are some best practices used for time stamping in code signing:

The initial and most crucial

Time-stamping is an optional feature in various programs, including Microsoft’s SignTool. Make sure you are aware of how your development tools handle time-stamping. We offer documentation for the most well-liked operating systems, such as Windows, Mac OS, and Java.

Verify the platform support.

The current de facto algorithm for time-stamping signatures is SHA-2. Yet specific still-in-use operating systems do not support SHA-2 by default; for example, Windows 7 only supports SHA-2 with a patch.

Consider whether you should use an SHA-1 signature or dual-sign with two certificates to accommodate both algorithms if your users frequently use an older operating system.

Including it in the building process

Your program will get updated as you create and distribute new executables. To prevent unanticipated problems and failures with each version of your program, ensure that signing and time-stamping are a part of that process.

Create a process log

You are the expert on your development process and tools. During the signing procedure, time-stamping requires additional flags and commands and a URL to acquire the time-stamp signature from your CA securely. Ensure that no one forgets to sign your software due to staffing or procedure changes.

Limit key compromise damage

Using time-stamping, operating systems can determine whether a signed executable was released before or after a certificate revocation. If you time-stamped your signatures, you could safely revoke a certificate if necessary due to key compromise without correctly invalidating the signatures you produced. Everything issued before the revocation date will remain valid when the time stamp is compared to it.

Use an SHA-256 hash algorithm

The National Security Agency developed SHA-2 (Secure Hash Algorithm 2) in 2001 to replace SHA-1. The SHA-256 algorithm is one variant of SHA-2. The patented cryptographic hash algorithm SHA-256 produces a 256-bit value.

Data is changed into a secure format during encryption and will not be read unless the recipient possesses a key. The data can be as big as you like when encrypted and is frequently the same size as unencrypted data. Contrarily, in hashing, data of any size is converted to data of a specific size. For instance, SHA-256 hashing would reduce a 512-bit string of data to a 256-bit string.

Ensure that the timestamp is included in the Digital Signature Block.

A default timestamp server must exist before creating the digital signature to include a timestamp. The timestamp will integrate with the signature if you have set up a default timestamp server and added it to your trusted certificate list; otherwise, the signature (design) characteristics will reflect the local date and time of the computer.

Step 1: Choose a default timestamp server by going to File > Preferences > Timestamp Servers.

Step 2: Next step is to sign the document.

Step 3: A pop-up Security Warning will ask permission to connect to your timestamp server. Press Allow.

Step 4:  At this point, the timestamp you added to your signature has been correctly inserted. Users must include the time stamp server in the trusted certificate list when validating the signature so that the signature attributes will show the date and time the document was signed on the time stamp server.

Conclusion on Code Signing Time Stamping

Time-stamping is an essential part of code signing. It provides a way to verify the authenticity of software and can be used as part of verification processes, e.g., security or distribution policies.

It also helps ensure that updates are deployed by trusted distributors in case anyone tries to modify files on the original installation media without authorization. With the practices mentioned above, you can easily ensure the authenticity of the code, saving you time and money.