Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Where the certificate is just bogus, like it says "Test" or "Do not use" on it, and that's not a joke (TPPI which stands for "Test Pack Please Ignore" genuinely is one of the more famous Minecraft modpacks so, you know...) then you're correct that all bets are off.

But, where certificates expire the whole _point_ of a code signing or document signing system that makes it different from the Web PKI (certificates for stuff that speaks TLS) is that it makes use of Time Stamping, ala RFC 3161.

The Time Stamping services don't know anything about anything, except they promise to make signed documents saying they saw a particular bit-string (a hash) at a specific moment in time. Timestamps.

And it turns out that this (if you trust any Time Stamping service to know what the time is and not be corrupt) is enough to bootstrap a completely acceptable code signing system where even though the certificate expired in say, January 2017 you can trust that it was valid in March 2015 when its keys were used to sign some code, so therefore the code is still good.

The Certificate Transparency system does a lot MORE than this, but that only makes sense when we want transparency, proprietary vendors mostly do NOT want transparency.



I start to see how this works. There is a third party, but they intervene at signing time and not at validation time.

In detail: You create a hash of your executable and send it to the third party, the TSS. They sign the hash, and never even need to see the actual executable. As long as the end user trusts the third party's cert, the TSS can guarantee the executable existed in its current shape on the date you claim it existed. A kind of notary service.

For who wants to know more: Here is a Java article detailling how this works for Java, and what happens if the TSS cert itself expires

https://blogs.oracle.com/java-platform-group/signed-code-nee...

And wikipedia is interesting too:

https://en.wikipedia.org/wiki/Trusted_timestamping


This is how Microsoft code signing working. Your certificate just needs to be said valid at the time it was signed by using a timestamp service.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: