GlobalSign EV code signing Certificate: Timestamp Server Update
Following a decision of the CA/B Forum the key length for EV code signing certificates will have to be 3072-bit at least from June 1st, 2021.
As a result, GlobalSign is providing a new URL for its timestamp server to comply with this new standard. You will have to update this address on your software because after June 1st, 2021 the old timestamp URL will not work anymore.
As a reminder, time stamping is an essential element of code signing. Although technically optional, time stamping allows you to maintain the validity of the signatures made by your key in perpetuity. Without a timestamp, signatures cease to be reliable when the certificate associated with the signing key expires.
Here is the new URL to be used as of June 1st, 2021:
- Name : New R6 TSA
- URL : timestamp.globalsign.com/tsa/r6advanced1
For your information, here is the old URL that will no longer work after June 1st, 2021:
- Name : Legacy R3 TSA
- URL : rfc3161timestamp.globalsign.com/advanced
How to proceed
Here is an example with the signtool command line software
signtool sign /a /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 c:/path/to/your/file.exe
Another example to sign a JAVA component
jarsigner -tsa http://timestamp.globalsign.com/tsa/r6advanced1 -keystore [keystore-name] file-to-sign.jar [alias-name]