SQ20105
Detected digital signatures with an expired signing certificate.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
None | pass | low | medium | None | None |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates have a validity period during which they can be used to create signatures. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. Such signatures are considered valid indefinitely. The detected signature is still considered valid, but one or more certificates that were used to make it are now expired. This could indicate the application is relying on outdated components.
How to resolve the issueโ
- Check for available software component updates.
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Security Considerations for Code Signing (External resource: PDF document - NIST)