I was reading What happens when a code signing certificate expires – Stack Overflow and wondering about a more solid answer. The answer provided was more about setting up your own CA. Even with your own CA you will still need to deal with expiring code certificates.

If you signed the code without using a time stamping service, after the certificate expires your code will no longer be trusted, and depending on security settings it may not be allowed to run. You will need to re-sign all of your code with a new certificate, or with a renewed certificate, every 1 or 2 years.

Trusted (digital) timestamping allows the digital signature to be valid even after the certificate itself has expired. You would need to re-sign code with the new certificate only if you have made changes.

Does this all sound correct? If so, I need recommendations on what timestamping service to use, preferably from someone who has actually used one. I’d also like to know if there are any in-house solutions, similar to being your own CA.

Right now this applies to PowerShell scripts, but I will eventually have the same issue with other code.

Update: Sample of how to sign a PS script with a timestamp (you can make a script for this):

Set-AuthenticodeSignature -filepath "D:\Projects\A Sample\MyFile.ps1" 
  -cert gci cert:\CurrentUser\My -codesigning 
  | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"}
  -IncludeChain All 
  -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

Then, to see the Signer Certificate and TimeStamper Certificate, you can do this:

Get-AuthenticodeSignature MyFile.ps1 | fl *

It gives you the Subject (CN, OU, etc.), Issuer, Before/After Dates, and Thumbprints for both your cert and the timestamper’s cert. You also get a message indicating the status of the signature.