SQ20136
Detected digital signatures that were countersigned by an unknown time-stamping service.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | None |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. However, for the timestamp to be considered trustworthy, it is important that the time-stamping service can be authenticated, and that it is managed by a reputable certificate authority. Lists of trusted certificate authorities can typically be found in certificate stores in your operating system or internet browser. Failing to countersign software components may result in application errors and availability outages.
How to resolve the issueโ
- Consult the certificate authority code signing documentation.
- With Microsoft SignTool, you can specify the trusted remote time-stamping server using the /t or /tr parameter.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Security Considerations for Code Signing (External resource: PDF document - NIST)