Why do I need a time stamp when signing a script?

When you set up script signing in PrimalScript or PowerShell Studio, you see a field called “Time Stamp”. It has a large list of URLs for time stamp servers to choose from.

image

What does this do and why do you need that anyway?

If you look at a signing certificate, it has a valid date.

image

You can use that certificate to sign code between the dates specified here. Obviously, anything signed with that certificate after the expiration date is not really something you should trust. But what if something was signed with that certificate back in 2019? It should still be good to go in 2022, right? That is where the time stamp comes in.

Applying a digital signature with a time stamp certifies when it was signed. That allows the signature to be trusted even after the certificate has expired. If you do not use a time stamp, your signature becomes invalid the moment your certificate expires.

Make sure you pick a time stamp server that is reachable by your network. If you are behind a proxy server, you may be restricted to the one or two your company allows.