Expired certificates in .NET assemblies

[danthe74]

We are currently in the process of carrying out a security review of our software.
We have noticed that some .NET 8.x assemblies have expired certificates.

Examples:

Assembly	Issuer	Valid From	Valid To
Microsoft.Bcl.AsyncInterfaces.dll	Microsoft Code Signing PCA 2011	03/04/2020	03/03/2021
System.Private.ServiceModel.dll	Microsoft Code Signing PCA 2011	05/12/2022	05/11/2023
System.Reflection.Context.dll	Microsoft Code Signing PCA 2011	05/11/2023	05/08/2024
System.Drawing.Common.dll	Microsoft Code Signing PCA 2011	05/11/2023	05/08/2024

As we act as a software manufacturer for our customers, we would like to know how we should communicate this to our customers and how we should deal with it internally.

Do you have any experience or tips on this?

[teo-tsirpanis]

This is expected in how code signing certificates work. The certificate's expiration does not invalidate the signature, because the assemblies contain a timestamp attesting that they were signed at a time when the certificate was valid. See https://comodosslstore.com/resources/what-is-a-timestamp-in-code-signing-how-does-timestamping-work/ for more info about how timestamps in code signing work.

You can validate the signature of an assembly in the "Digital signatures" tab in the file properties, or use the Get-AuthenticodeSignature PowerShell command.