Certificate Question

[Johuan 0]

Hello! I am a bit paranoid and also not very tech savvy so i would please need your advise. I downloaded the ESET Internet Security installer from your website and i saw that the sha256 certificate had an expire date of 06 May of 2019. Could you please tell me what that means? Is it safe to install the .exe file or does it need update? Thanks and sorry if the question is silly.

[itman 1,659]

3 hours ago, Johuan said:

i saw that the sha256 certificate had an expire date of 06 May of 2019.

That is a bit odd. Mine has an expiration date of 12/12/2028.

[Marcos 5,074]

The countersignature method of time stamping allows for signatures to be verified even after the signing certificate has expired or been revoked. The time stamp allows the verifier to reliably know the time that the signature was affixed and thereby trust the signature if it was valid at that time.  Therefore you can disregard the SHA1 and SHA256 signatures.

 

[Martin223 0]

Hello, Marcos. Johuan says his .exe has a signature with an expiration date of 06 May of 2019 but itman has expiration date of 12 December 2028. Can you please confirm witch is the right one? P.S. I know both are valid but curious why they  are different. I just downloaded and says 06/05 /19 in the sha256.

Edited May 18, 2019 by Martin223

[Marcos 5,074]

23 minutes ago, Martin223 said:

Hello, Marcos. Johuan says his .exe has a signature with an expiration date of 06 May of 2019 but itman has expiration date of 12 December 2028. Can you please confirm witch is the right one? P.S. I know both are valid but curious why they  are different. I just downloaded and says 06/05 /19 in the sha256.

I don't know what executables they checked but it doesn't matter. What matters is the presence of a countersignature which ensures that the certificate was valid at the time of signing the installer:

[itman 1,659]

I didn't realize the OP was referring to the cert. for the Eset Installer download.

I don't have a downloaded copy of the current installer, but will show a screen shot of the Eset cert. use to sign ekrn.exe. As @Marcos posted, as long as the it shows that the cert. is valid on the download .exe, there is nothing to be concerned about:

 

Edited May 18, 2019 by itman

[Marcos 5,074]

8 minutes ago, itman said:

as long as the it shows that the cert. is valid on the download .exe, there is nothing to be concerned about

I would correct this - as long as there is a timestamp (countersignature), the digital signature remains valid if the certificates used to sign the file already expired.

[itman 1,659]

2 minutes ago, Marcos said:

as long as there is a timestamp (countersignature), the digital signature remains valid if the certificates used to sign the file already expired.

If its not countersigned, the cert. will show as expired as is my understanding.

[itman 1,659]

Also as I again understand it on Win 10, an app with an expired cert. will be flagged by UAC:

Quote

On the other hand you might find yourself in a perfectly valid situation where you’ve downloaded the drivers for a file directly from the manufacturer website and they simply won’t run properly on Windows 10 because of technical (but not malicious) problems like an expired or improperly applied certificate

https://www.howtogeek.com/230063/how-to-circumvent-this-app-has-been-blocked-for-your-protection-to-install-apps-in-windows-10/