So let's say XYZ Soft creates an application, XYZCalc. They build the product, create an MSI and an EXE installer, and put it on the internet. The commercial (not self-signed) cert they use to sign the app is valid for two years.
XYZ Soft goes under and closes it's doors. However that EXE and MSI is still floating around out there. Four years go by. The cert they used to sign the app has expired.
QUESTION: Can I still install the application, after four years?
Yes, if the signature contains a cryptographic time stamp. The Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) defined in RFC 3161 and RFC 5816 define the standard. You can use your own time stamp authority on-premises or an externally hosted to provide you a time stamp. Here is a Gist with free to use Time Stamp Server URLs: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
If you use signtool.exe to create the signature you can use its time stamping options to do so.
# This is how to timestamp a previously signed file
& signtool.exe timestamp `
-t "https://url-of-a-time-stamp-server.com" `
".\MyApp.exe"
# This is how to sign and timestamp a file in one
& signTool.exe sign `
/n "Subject-Name-Of-Certificate-In-Store-User-My" `
/t "https://url-of-a-time-stamp-server.com" `
".\MyApp.exe"
