3

Regarding Timestamps and code signing with signtool - is it considered a best practice to apply stamps from multiple timestamp authorities to signed code? Further related questions that may help me to understand:

  • Is it possible to apply multiple timestamps utilizing different timestamp servers? If my understanding is correct from this article the answer is yes See: Alternative timestamping services for Authenticode

  • If so, do the multiple timestamps provide validation "fail-over" of the timestamp?
    For example, a piece of code is signed and then timestamped by both both comodo and verisign. If the system is unable to connect to verisign would it still be valid if it could connect to comodo to verify the timestamp? I am assuming that when code is being validated and the timestamp is detected the system sends network traffic out to the Time Stamp Authority to verify the TimeStamp. If this is not the case and it is just locally verifying that (one of?) the Time Stamp(s) was issued by a trusted CA against the local store that may answer the question.

  • Perhaps another question to ask, when checking timestamps is this an "AND" (all timestamps must be verifiable for the code to pass check) or an "OR" (one of the timestamps must be verifiable for the code to pass check).

Community
  • 1
  • 1
user3158565
  • 31
  • 3

1 Answers1

2

For 1), they are talking about a fail-over, which means they just switch from the first server to the second server if the first one is not reachable. In any case, the result is only one time stamp.

However, there are people who try to apply two signatures, each having its timestamp:

For 2), once the timestamp is part of the executable, there's no need to connect to the server any more. As already supposed by you, the timestamp is a signature itself and if that signature is trusted by Windows, it's given as valid.

For 3), due to lack of available samples, I can't give an answer for this at the moment.

Community
  • 1
  • 1
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222