Timestamping a signed executables can add more confidence in the authenticity of the signature and what is most important - it is absolutely free.
Known CAs listed in Microsoft provide this service for free:
Here are some examples:
To sign an executable you need a certificate signed by a known authority such as Comsign or Verisign, that has "code signing" enhanced usage oid listed.
You can use signtool or signcode to sign you certificates but if you really want to control the signing flow, ComsignTrustDesktop supports this signing method starting from version 1.3.25.
It is important to note that the above TSAs are not compliant with RFC3161, that is if you want a signed PDF document timestamped with a known certificate authority - you would probably need to look for something else.
On the other hand, starting from windows 7/windows 2008R2 there is some unreferenced support of RFC3161 in Microsoft CAPI when signing on PE (exe, dlls e.t.c).
Tags
Security