CodeSigning Issue - No Timestamping

jamesaepp · July 28, 2024, 3:22pm

I noticed this today when doing my weekly update of Manager. My provided dates will probably be off due in places due to my timezone (UTC-6).

The (MSI file) installer I downloaded today (2024-07-28) is signed by an expired certificate.

Thumbprint 15d97d2732fa15bb73b3efe35663134048260a8a
NotBefore 2024-07-24
NotAfter 2024-07-27
Issuer Microsoft ID Verified CS AOC CA 02

The file has no timestamping/countersignatures.

Going back in my downloaded versions, I see something similar for a slightly older file I downloaded 2024-07-23:

Thumbprint b2cd46ea4c959aabdd4916793ff79ae47e1daf82
NotBefore 2024-07-23
NotAfter 2024-07-26
Issuer Microsoft ID Verified CS EOC CA 02

Once again, the file has no timestamping/countersignatures.

Going back to a file I downloaded on 2024-07-14, that cert looks better and most importantly has a countersignature/timestamping from Digicert’s Timestamp server.

Thumbprint a164e368681f54dff6b3d05adb2669163ef93db6
NotBefore 2023-08-17
NotAfter 2024-08-18
Issuer DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

eko · July 28, 2024, 9:26pm

Where did you download it from?

jamesaepp · July 28, 2024, 9:41pm

I always download from Download | Manager.io

The MSI URL on my side directs to https://github.com/Manager-io/Manager/releases/latest/download/Manager-win-x64.msi which is what I downloaded earlier today (and every time I’m guessing as long as that path doesn’t change) and re-downloaded now, still the same file at this time.

lubos · July 28, 2024, 11:07pm

@jamesaepp what you are observing is correct however how did you notice this? Do you get any warning in Windows? It’s not common for users to be checking how MSI file is being signed before installing.

jamesaepp · July 28, 2024, 11:18pm

I check all software downloads manually for code signing.

I did try opening up the MSI and was somewhat surprised Windows didn’t complain at all.

lubos · July 28, 2024, 11:49pm

I’m now using Azure Trusted Signing instead of DigiCert. Azure Trusted Signing is rotating certificates daily with 3 day lifespan.

But I didn’t include timestamp so the certificate was validated against the current time rather than the time the code was signed. I fixed that now. Thanks

Topic		Replies	Views
MS Edge now reports as unsafe	19	543	January 2, 2021
File Version Identification	5	1050	January 18, 2023
Virus Alert?	7	730	January 27, 2021
Windows installation problem	14	558	July 1, 2022
Virus (treat) found on recent Manager desktop download file	6	2100	January 18, 2023

CodeSigning Issue - No Timestamping

Related topics