Code signing certificates work a little differently than SSL certificates. A timestamp is included in the signature so the certificate only needs to be valid at the time of signing. The executable will remain valid forever, even if the certificate later expires. (This is how it works on Windows)
Comment on Google's plan to restrict sideloading on Android has a potential escape hatch for users
LodeMike@lemmy.today 1 month agoThe problem with that is that certificates expire before someone would want to keep using the app.
xthexder@l.sw0.com 1 month ago
InnerScientist@lemmy.world 1 month ago
Doesn’t work, the reason they can expire is to make certificate rotation possible. If an expired ssl certificate is cracked it doesn’t matter because no browser will accept the expired certificate, with your idea the expired certificate just signs an app with the date of 1984 and it works.
Certificates in SSL can’t change the date because that date is signed by a certificate higher in the hierarchy.
xthexder@l.sw0.com 1 month ago
This isn’t “my idea”, this is how the industry already does code signing. You can’t sign something with a date of 1984 because your certificate has a start and end date, and is usually only valid for 1 year.
You can read more about how this works here: …digicert.com/…/rfc3161-compliant-time-stamp-auth…
InnerScientist@lemmy.world 1 month ago
Then you need a Trusted Third Party, right? Still requires some though on how to prevent that third party from blocking applications they don’t like but I can see how a group of trusted authorities could work.
Zak@lemmy.world 1 month ago
It need only check at install time.
LodeMike@lemmy.today 1 month ago
Correction: SSL certificates can expire before someone would want to continue being able to install any given app.
Zak@lemmy.world 1 month ago
Sure, the developer needs to keep the certificate up to date and re-sign the APK on occasion.
LodeMike@lemmy.today 1 month ago
So any APK I download will just expire at some point in time that’s probably really annoying to know, and then I have to dig through the internet again so I can install the app again?
LodeMike@lemmy.today 1 month ago
These two are identical for software.