When a package is signed, its signature is only valid as long as the certificate used to sign it is valid. These two expiration dates are related. However, typical code signing certificates are short-lived compared to the lifetime of a package. This is where timestamps come in.
Timestamping involves adding an electronic timestamp to your signature, which can potentially extend the validity of the signing certificate. When a certificate includes a timestamp, its validation is based on the signature's time of creation, rather than the current time when the software is executed. This means that the package signature is valid even after the certificate used to sign it expires. Without a timestamp, when the certificate expires, the signature is compared to the current time, leading to certificate validation failure and preventing application use.
|
Tip: As a best practice, each digital signature should be timestamped. This ensures that even after a certificate expires, the signature remains valid, allowing users to continue running the software. Choose Trusted Timestamp Authorities (TSAs) to provide timestamps. These organizations are recognized for their reliability and security, increasing the trustworthiness of your application. |
Once you selected your timestamp (or used any predefined that RayPack shows), you can configure the settings in your profile (Settings -> Signing + Tagging).
If you are using a custom timestamp server, make sure that the digest algorithm matches. Information about the technical requirements can be obtained from the server maintainer. It is also recommended that you test the settings before saving them, so that any discrepancies or problems with the timestamp can be detected early on.