Signing foobar2000.exe and cert expiration

2015-01-15 21:46:49

Piotr Pawlowski's certificate will expire on 2015-03-30. But the signature on the foobar2000_v1.3.7.exe does not have a timestamp. Therefore after the certificate expires, Windows and other tools will treat the signature as invalid.

To avoid having the signature invalidated please add option "/t http://timestamp.verisign.com/scripts/timstamp.dll" when you next time invoke "signtool.exe sign". This will add Verisign's timestamp ("counter-signature") to the binary, prolonging validity of the signature until the day Verisign's cert expires, i.e. practically forewer.

Signing foobar2000.exe and cert expiration

Reply #1 – 2015-01-16 04:46:45

That requires an EV (Extended Validation) certificate. EV certificates are Serious Business.

Signing foobar2000.exe and cert expiration

Reply #2 – 2015-02-01 20:10:19

Timestamps do not require an Extended Validation certificate. Time-stamping is available to anyone, even for for people with self-signed certificates. (In fact the time-stamping server does not see who requests the timestamp.) Your linked article does not mention code signing or even Extended Validation. Also, Wikipedia article about EV certificates talks about website certificates only.

Indeed, Code Signing does need a certificate that is issued by a CA that is recognized by Microsoft. But Piotr Pawlowski already does have such certificate, you can see it by opening Properties window of the installer.

Signing foobar2000.exe and cert expiration

Reply #3 – 2015-02-02 10:26:25

With regular StartSSL certificates timestamping doesn't work. I couldn't find any official word from StartCom on this matter but I too ran into it when I had their certificate for own use. Here's a mention of the issue.