none
Code Signing and Timestamp RRS feed

  • Question

  • Hi All,

    We need to re-sign all of our Powershell scripts as the code signing certificate is due to expire shortly.

    To avoid us having to do this again in a couple of years I’m considering timestamping the signatures using the Verisign service, but I have a couple of questions...

    1. The target environment has does not have internet access (the code signing workstation will have) – will this cause issues with cert chain / CRL lookups etc for the time stamping certificates? Also what happens when the timestamping certificate expires (looks like 2012). I tried disconnecting the test environment from the Internet and moving the system clock forward and it doesn’t seem to need to look anything up but I just wanted to have a second opinion?

    2. I can’t seem to find any usage policy on the Verisign site, does anyone know if there is one or if there are restrictions to this service?

    Thanks for any advice

    Pete

    Monday, March 8, 2010 1:41 PM

Answers

  • 1) there shouldn't be any issues while PowerShell don't check certificates for revocation. Verisign codesigning root certificate is already installed on any Windows box, so PowerShell will be able to build chain for timestamp signing certificate even without internet access. When signing certificate is expired and signature is timestamped, the signature is considered as valid while timestamping certificate is not revoked even if it is expired.

    2) I don't know if VeriSign has any restrictions for their timestamping service.
    http://www.sysadmins.lv
    • Marked as answer by ___pete Tuesday, March 9, 2010 1:17 PM
    Monday, March 8, 2010 2:28 PM

All replies

  • 1) there shouldn't be any issues while PowerShell don't check certificates for revocation. Verisign codesigning root certificate is already installed on any Windows box, so PowerShell will be able to build chain for timestamp signing certificate even without internet access. When signing certificate is expired and signature is timestamped, the signature is considered as valid while timestamping certificate is not revoked even if it is expired.

    2) I don't know if VeriSign has any restrictions for their timestamping service.
    http://www.sysadmins.lv
    • Marked as answer by ___pete Tuesday, March 9, 2010 1:17 PM
    Monday, March 8, 2010 2:28 PM
  • Thanks Vadims
    Tuesday, March 9, 2010 1:18 PM