x509 signatures do not contain signing date - Githubissues

github / smimesign

An S/MIME signing utility for use with Git

MIT License

596 stars 135 forks source link

x509 signatures do not contain signing date #43

Closed henning-schild closed 5 years ago

henning-schild commented 5 years ago

Looking at a repo with x509 signed commits i found that smimesign signatures look different when verified on Linux with gpgsm. They seem to not contain the signing date, or not in the expected format.

A commit signed on Linux will look like that:

gpgsm: Signature made yyyy-mm-dd hh:mm:ss using certificate ID 0xXXXXX
gpgsm: Good signature from ...
...

Signatures made with smimesign Windows and Mac

gpgsm: Signature made [date not given] using certificate ID 0xXXXXX
gpgsm: Good signature from ...
...

this is gpgsm-2.2.10 checking the signatures

btoews commented 5 years ago

This is intentional. The signing timestamp is optional and I chose not to include it. My reason is that the signer can specify any time and this value isn't trustworthy. Instead, signers should include a signed timestamp (RFC3161).

That said, it would be harmless to include a normal timestamp in the signature, even though it can't be verified. If you feel strongly that this would be valuable, I wouldn't be opposed to adding it.

bufferoverflow commented 5 years ago

Would be nice to have the time stamp as well. Is RFC3161 implemented within gpg signatures?

btoews commented 5 years ago

I'm not aware of any way to verifiably timestamp signatures with PGP. S/MIME does support RFC3161 signatures and this is implemented in smimesign.