4

Specifically:

Once the certificate is added to the public-CA CRL, how will Windows handle executables signed with that certificate?

Leor
  • 93
  • 5
  • Hm, I guess depends on the module which does the check. There are many places like download, UAC control, driver signing and Powershell or VBA signing. I think however most of them won't check for the revocation of a (intermediate) CA anyway by default. If it does check, I am not sure if it will compare the timestamp with the revocation date (like it does for expire). – eckes Apr 25 '17 at 11:06
  • Most of that is closed source so good luck with an answer, you could setup an internal CA, configure ocsp and crl, ad access logs, and then see what apps check and what apps don't. My gut feeling is absolutely nothing happens. – Jacob Evans Apr 27 '17 at 16:01

1 Answers1

1

What happens mostly depends on whether or not you are using a timestamping service. If you are then the signed executable will remain trusted; if you do not then the executable will no longer be trusted.

From Thwate's Code Signing Certificate FAQs:

  • How long can I use a Code Signing certificate for?

Code Signing certificates are valid for 1 to 3 years depending on which life cycle you choose when you purchase the certificate. You should also timestamp your signed code to avoid your code expiring when your certificate expires.

  • Is timestamped code valid after a Code Signing Certificate expires?

Thawte timestamp services allow you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the system validates the timestamp. If you use the timestamping service when signing code, a hash of your code is sent to the timestamp server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.

Please specify the timestamp server url you need when you sign your code. Thawte provides you with both a SHA-1 and SHA-256 RFC 3161 timestamping URLs.

The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.

If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Persistent13
  • 643
  • 3
  • 13