3

I'm curious about how Windows check the Authenticode signature.

For example, I would sign test.exe

I know that if test.exe doesn't have a TS (timestamp) signature from a TSA (Timestamp Authority), the signature would expire after the certificate's NotAfter datetime.

I used to believe that if test.exe have a Authenticode signature with a valid TS signature, this signature would expire after the TS certificate expire.

However, it seems I'm wrong... When I was cleaning my old computer, I found the PlantsVsZombie!(⊙o⊙) You can download the main file from here ( I'm not sure how long can I keep this link available... )

Its signing certificate expired at 2012/9/21 and its timestamp certificate expired at 2012/6/15. Both of these two certificates expired now. But surprisingly, its signature is still valid (Checked using Powershell command Get-AuthenticodeSignature and viewed from the attributes-Signature tab)

Then I wonder will a signature with timestamp expire? If it would, at which time?

Jemmy1228
  • 195
  • 1
  • 6
  • In case your link goes down: Here's a link to [the scan on VirusTotal](https://www.virustotal.com/en/file/5f650f52d12751e08b63e590edb0d9b9f09d087cea900baa0eb39e4af8eda251/analysis/). The "File Detail" tabs lists info on signing. – StackzOfZtuff Aug 03 '18 at 06:47

1 Answers1

2

I'm curious about how Windows check the Authenticode signature

Microsoft's Authenticode is a mechanism that is based on PKI as any other digital certificate verification process:

  • Public key verification
  • Certificate lifespan
  • Certificate status (revoked?)
  • Trust chain
  • Timestamp (if used)

In case of timestamp, the signature will be valid as long as the certificate is valid. Otherwise, it will expire when the certificate does.

From DigiCert:

Timestamping ensures that code will not expire when the certificate expires because the system validates the timestamp. If you use the timestamping service when signing code, a hash of your code is sent to the timestamp server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.

Harel M
  • 516
  • 2
  • 4
  • I know that it is based on PKI, but I wonder the relationship between signature validity, CodeSign Certificate lifespan and Timestamp Certificate lifespan. – Jemmy1228 Aug 03 '18 at 07:18
  • But the PVZ I provide still has a valid signature, although both timestamp and codesign certificate expired. – Jemmy1228 Aug 03 '18 at 07:21
  • @JemmyLoveJenny When you sign the executable with a timestamp, you ensure that the executable will be valid forever(as long as the certificate that used to sign it is trusted) the expiration of the certificates indicate that cannot sign another until you will get another valid certificate – Harel M Aug 03 '18 at 11:12
  • You mean that the timestamp certificate's lifespan have no impact at all? – Jemmy1228 Aug 04 '18 at 06:37
  • Timestamp isn't just time, it includes the timestamp certificate, current time the corresponding signature. – Jemmy1228 Aug 04 '18 at 06:38
  • @JemmyLoveJenny Of course not just time, I've tried to simplify this for you in order to understand. I'll add some info from DigiCert at the answer. – Harel M Aug 04 '18 at 08:11
  • If the timestamp certificate is revoked due to key comprise, the timestamp signature would be considered invalid, and the codesign signature would be considered invalid too if the codesign certificate is expired. – Jemmy1228 Aug 04 '18 at 09:19
  • My question is will a timestamp certificate become invalid when it expires, so as make the timestamp signature invalid? – Jemmy1228 Aug 04 '18 at 09:20
  • @JemmyLoveJenny When timestamp certificate is expired, it can no longer issue **new** signatures. Previously made signatures with timestamping will be valid as long as the certificate was valid during the signing time. Valid means within lifespan and not revoked. – Harel M Aug 04 '18 at 09:31