Digital Signature Of "usb Immunizer" Expired In 2012 ! Is It Safe To Download & Use ?

"USB IMMUNIZER" 's DIGITAL SIGNATURE expired in December of 2012, despite the fact that it is still available for download on your CURRENT websites for Romania, Canada, australia, UK, France, Espana and India.

Is it still safe to download and use ?

Why does a security company not keep digital signatures up-to-date ??? !!!


  • csalgau
    csalgau ✭✭
    edited August 2013

    Digital signatures themselves do not expire(unless revoked explicitly). They are not usually checked against the system clock. If that would be the case most builds of Windows, for example, would currently have invalid signatures.

    Certificates used to sign files, on the other hand, do expire.

    Normally a valid certificate is used to sign a file, then the signature is countersigned by another entity saying that it was indeed signed at that time, thus telling a user the file was signed with a certificate that was valid at the time of signing.

    If you take a look at the file in question, you will notice that it was signed with a certificate valid up to 14/12/2012 and countersigned on ‎09 ‎October ‎2012 4:19:54 PM by Symantec Time Stamping Services Signer - G3. This places the signature inside the validity period of the signing certificate and makes it valid.

    It is possible to sign a file without timestamping it, but that would make the signature invalid outside the certificate validity period.

    That being said, the application will get updated and signed again when this is needed, not just to refresh its signature. Otherwise we would have to recall and resign each and every release and tool every year for a standard certificate.

    To sum up - the file is safe, valid and re-signing is not needed for it at the moment.

    Hope that clears up any confusion. If not, please do not hesitate to express your concerns.

  • Thank-you for the speedy and detailed answer. I will now install the application with confidence.

    In order to increase my understanding, may I ask a follow-up question ?

    After clicking the "View Certificate" button, the next box has a "Details" tab. In this tab, the line "Extended Error Information" says "Revocation Status: OK. Effecttive Date < Monday,

    August 12, 2013 5:00:03> next Updat < Monday, August 26, 2013 5:00:03>". --- What is the significance of this ?


  • The Extended Error Information field provides information related to the validity and integrity of the signature. This includes standard compliance of data in the signature's embedded information as well as trustworthiness of the signature. This specific field is not stored with the file. It is generated when you ask Windows for information on a signature in response to the data it finds there.

    The string you are seeing states that the signature has not been revoked or suspended by the signer or issuer as of August 12th, 2013 and the next validity check will be done on in two weeks from that time. Since validity is checked against the issuer's online service, this interval is needed to avoid unnecessary load on the certification authority's servers.

    If there was a problem, you could observe states different from OK, such as 'revoked' or 'pending' in some cases.

    I hope this helps.

  • zzzzzz
    edited August 2013

    Mr. Salgau, that is a fantastic answer. I am very grateful !