Time Stamp Server & Stamping Protocols for Digital Signatures/Code Signing

Time Stamping Server

In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate.

Tools like Microsoft's SignTool let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Sectigo, provides. Finally, you bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.

As part of this process you will need to know the URL of Sectigo's time stamping server:

* http://timestamp.sectigo.com

Since key pairs are based on mathematical relationships that can be cracked with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your Digital ID will expire on its expiry date. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, a timestamping service is introduced. Now, when you sign code, a hash of your code will be sent to Certification authority to be timestamped. This means that you will not need to worry about resigning code when your Digital ID expires. Microsoft Authenticode allows you to timestamp your signed code so that signatures will not expire when your certificate does.

There are two popular timestamping protocols, which are both supported by our time stamping server:

  • RFC 3161 timestamping is used by SignTool (using the '/tr' parameter) and other applications (such as jarsigner). Our time stamping server automatically selects the appropriate signature algorithm (RSA/SHA-256 or RSA/SHA-384) with which to sign each timestamp, based on the hash algorithm you specify (e.g. via SignTool's '/td' parameter).

  • Authenticode timestamping is used by older versions of SignTool (using the '/t' parameter) and SignCode. Due to the design of this protocol, it is not possible for our time stamping server to automatically select the appropriate signature algorithm. We currently use RSA/SHA-384 as the default timestamp signature algorithm. However, you may request a different signature algorithm by appending '?td=<hash_algorithm>' to the URL. e.g. http://timestamp.sectigo.com?td=sha256.

    Effective from May 31, 2020 our Timestamp Servers no longer signs with RSA/SHA-1 signature algorithm.

    Additional information about Time Stamping can be found here

Note: If you are signing several pieces of software with a script, please add a delay of 15 seconds or more between signings so that you're not hammering our servers.