The signature in MSI package does not contain a timestamp

[rafabailon]

Description

In certificates check it has been found that the signature in MSI package does not contain a timestamp.

Found in Scheduled certificates review - 2024 Monthly #01

Details

When it comes to digital signatures, timestamping refers to the process of including an electronic timestamp in your signature to possibly extend the validity of the signing certificate.

Therefore, if a certificate includes a timestamp, it will validate the certificate by verifying the signature against the time it was signed, and not the time you are running the software. And if not and a certificate has expired, then not having a digital signature timestamp will essentially block the application from being used.

Steps to Reproduce

To reproduce the error you must follow the following steps:

• Download MSI Package
• Download DigiCert Certificate Utility for Windows
• Install MSI Package
• Use DigiCert Certificate Utility for Windows to review the certificate

Tasks

• [ ] Add timestamp to the MSI Package Signature
• [ ] Check that the MSI Package Signature has timestamp