Impact of Verisign Timestamping Service on ClickOnce deployed Apps



We have a number of applications that are deployed using ClickOnce and we use
the VeriSign timestamping service. The VeriSign timestamping service is being
upgraded to use SHA-1 instead of MD5 and I need to gauge how this will affect
our applications.

From what I understand when the application is signed the TimeStamping
Service is called to generate a hashed timestamp that is inserted in the code
with the signature. When the client verifies the signature it verifies the
timestamp and if it is valid it ignores the expiration date of the

This means that nothing should change on the deployment side but it will
affect client machines with older operating systems (Pre Win2k) that don't
know how to deal with SHA1 timestamp.

Can anyone confirm this information and tell me if any other problems await


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question