Wikis - Page Details

First published by Don A. Glover
When: 2 Mar 2010 8:56 AM
Last revision by Richard Mueller (cMVP, Microsoft Community Contributo)
When: 4 Mar 2013 9:42 AM
Revisions: 10
Comments: 10

Options

Can You Improve This Article?

Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.

Code Signing FAQ

Other Resources
Security Developer Center
Cryptography Topics on MSDN
Follow us on Twitter

It is clear that when timestamping is used with authenticode we can extend the validity signature beyond the expiration date of the code signing certificate. What happens after timestamping certificate expiration? Is this extension of the signature validity limited by the validity of the timestamping certificate?

By default, timestamps do not expire with the certificate chain expires. This can be changed by using the “lifetime signer OID” or setreg.exe for environments that wish to be more locked down. See code signing best practices for details on timestamping.

Code-Signing Best Practices

Can we timestamp kernel-mode components signed using Kernel-Mode Code Signing (KMCS) and SPC (Cross-Certificate) and will this action also extend the validity of the signature?

Timestamping for kernel mode components is encouraged, see the KMCS walkthrough:
Kernel-Mode Code Signing Walkthrough

What type of software they program actually needs to be signed?

In general, the feedback from the developers who program on our platform is that they are concerned that after signature expires, the component will not work.

While it is true that it is not always clear as to which interfaces actually require signatures and which do not, in general best practice is to sign all binaries. This is what Microsoft does (generally – there are some exceptions, but relatively few). Specific components will have specific requirements, and guidance is given to developers that specifically target these components.