Skip to main content

SQ20136

Detected digital signatures that were countersigned by an unknown time-stamping service.

priorityCI/CD statusseverityeffortSAFE levelSAFE assessment
passlowlowNoneNone

About the issueโ€‹

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. However, for the timestamp to be considered trustworthy, it is important that the time-stamping service can be authenticated, and that it is managed by a reputable certificate authority. Lists of trusted certificate authorities can typically be found in certificate stores in your operating system or internet browser. Failing to countersign software components may result in application errors and availability outages.

How to resolve the issueโ€‹

  • Consult the certificate authority code signing documentation.
  • With Microsoft SignTool, you can specify the trusted remote time-stamping server using the /t or /tr parameter.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.

This section is updated when new data becomes available.

Total amount of packages analyzed

  • RubyGems: 183K
  • Nuget: 644K
  • PyPi: 628K
  • NPM: 3.72M
Statistics are not collected for the SQ20136 policy at this time, or not applicable to this type of issue.