SQ20134
Detected digital signatures that were countersigned by an expired time-stamping certificate.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | tampering: fail Reason: signature compliance mistakes |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. However, for the timestamp to be considered trustworthy, it is important that the time-stamping service can be authenticated, and that its certificate is valid at the time of signing. Timestamped signatures are considered valid indefinitely. Failing to countersign software components may result in application errors and availability outages.
How to resolve the issueโ
- Consult the certificate authority code signing documentation.
- With Microsoft SignTool, you can specify the trusted remote time-stamping server using the /t or /tr parameter.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Security Considerations for Code Signing (External resource: PDF document - NIST)
- Best Practices for Timestamping (External resource - DigiCert)