Page MenuHome GnuPG

gpgsm support for timestamp signatures
Open, NormalPublic


gpgsm currently does not have support for timestamp signatures created by an external Time Stamping Authority (TSA).

This is a big limitation regarding certificate- and signature life cycle management. Currently, gpgsm:

  • accepts a signature as valid even after the signer certificate has expired (the signature remains valid forever).
  • rejects a signature as invalid when a certificate is revoked, regardless of when the signature was created.

The limitations make sense considering the lack of trusted timestamps, but they also illustrate the need for the timestamps.

Without timestamp support it is very hard to revoke a certificate, since it invalidates all existing signatures, requiring all data to be audited again and re-signed.

Also, an expired certificate, even though it is not revoked, should formally not be allowed to create new signatures after its expiration date. (An attacker may for example have an easier time finding and stealing, without discovery, an old/expired certificate and its private key, considering that its owner regards it as obsolete, does not realize its value, and keeps it less protected).

Therefore it would be very nice if gpgsm included support for timestamp creation and verification, according to RFC 3161, with the CMS-related format as described in Appendix A.

This feature request may be related to

Event Timeline

werner triaged this task as Normal priority.May 27 2019, 3:58 PM
werner added projects: S/MIME, gnupg (gpg23).

@werner There's renewed interest with protecting supply chains. GnuPG is used by a lot of open source systems. Is it possible to bump the priority on this?

Funnily I created a file dirmngr/rfc3161.c last Sunday. I can't tell how long it will take but I am definitely interested in using GnuPG to create qualified signatures. Timestamp support is at least good for testing.

nice, that's great news! I'll have to try it out when I get a chance.