Signing with expired certificate succeeds

[rasky]

It looks like signing with an expired certificate succeeds and does not produce any error. Obviously, calling verify afterwards shows that the signature is invalid because the certificate is expired. But given that osslsigncode is used very often in a CI/CD environment, I would reckon that most users expect that osslsigncode sign fails (exits with non-zero code) when it fails to create a valid signature for any reason.

[mtrojnar]

I can imagine valid use cases for signing a file with a certificate that is not in its validity period. Whether it is a good idea to make private code signing keys available from a CI/CD environment is a topic for a separate discussion.

I guess we could clarify in the documentation that the signing operation does not ensure validity of the certificate chain.

[rasky]

I can imagine valid use cases for signing a file with a certificate that is not in its validity period.

Also if timestamping is active?

I guess we could clarify in the documentation that the signing operation does not ensure validity of the certificate chain.

That would be good I think, thanks. I'd just explicitly mention that this also includes expired certificates (though it is technically implied by your sentence, if you are a PKI expert), and suggest to run verify afterwards as a check.