What happens when a code signing certificate expires?

I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.

What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).

This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.

Any ideas?


Solution 1:

If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.

From Thawte Code Signing Certificate FAQs:

How long can I use a Code Signing Certificate for?

  • Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft® Authenticode® (Multi-Purpose), you should also timestamp your signed code to avoid your code expiring when your certificate expires.

Is timestamped code valid after a Code Signing Certificate expires?

  • Microsoft® Authenticode® (Multi-Purpose) allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.

Solution 2:

Watch out for certificates with WTD_LIFETIME_SIGNING_FLAG set: It means (despite what you mind assume from the name) that a program signed with the certificate is invalid after the certificate expires, even though the program hasn’t changed, and the certificate was valid when it was signed.

This also affects updates, in that even if the customer checks the box to trust all programs from your company, if your update program isn't signed with the same cert (or that cert expires) then the trust fails.

From: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx


Timestamp Processing with Lifetime Signing Semantics

Applications or certification authorities that do not want timestamped signatures to verify successfully for an indefinite period of time have two options:

• Set the lifetime signer OID in the publisher’s signing certificate.

If the publisher’s signing certificate contains the lifetime signer OID in addition to the PKIX code signing OID, the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. The lifetime signer OID is defined as follows:

szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13

• Set the WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure when calling WinVerifyTrust.

If a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure and the publisher’s signing certificate has expired, WinVerifyTrust reports the signature as invalid even if the signature is timestamped.

If a publisher revokes a code signing certificate that contains the lifetime signer OID or a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure, WinVerifyTrust reports the signature as valid if both of the following conditions are met:

• The signature was timestamped before the revocation date.

• The signing certificate is still within its validity period. After the validity period expires, the signature becomes invalid.


For Example: https://forum.startcom.org/viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827

That is a serious problem with StartSSL certificates. It doesn't surprise me that there are limitations in a certificate that cost so little, but burying this limitation in the fine print or in an old forum post instead of making it clear in the product description is poor business. They may fix it in the future, and others may or may not have the same limitation so an email to check before you spend might be wise.

Guess who didn't know to ask? LOL... oh well, live and learn.

Solution 3:

If you make sure to add a time stamp when signing binaries, you won't have to re-sign them when the certificate expires. Just add "/t http://timestamp.verisign.com/scripts/timstamp.dll" to the command line of signtool and the digital signature will always be marked as valid unless the certificate is revoked and the CA is trusted.

The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are. In my case they verified the address and phone number, and phoned me up. Comodo's certificates appear to be slightly cheaper though.