Is there a way to sign a binary file using an expired certificate?

Question

I'm using signtool to sign my exe and dll files. For testing purposes, I want to find the way to do it using an expired certificate. Is it possible? If not possible with signtool I can also use another tool. Btw. I don't want to change my system date, because later I want to try with adding a timestamp.

This is the command along with the parameters used with signTool to sign my file:

signTool sign /f expiredCert.pfx /p "pass" /v test.dll

in result I get:

SignTool Error: No certificates were found that met all the given criteria.

Answer 1

I'm answering my own question because it turns out that the easiest way to do it is to manipulate system time. That was cumbersome for me because that is blocked on my dev machine, so I had to do it with a virtualbox machine with time synchronization turned off. After changing system time to a date within certificate validity period I was able to sign the files. Later I was even able to add a timestamp using an external service. Windows of course complains about that fact right away when you check out the Digital signatures tab in the file properties, but this is what I wanted to achieve to perform my tests.

Answer 2

As you noted it is possible to sign, but for it to be REALLY signed (Authenticode) as said here https://support.globalsign.com/code-signing/ev-code-signing-windows-7-and-8

Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

you need to timestamp it. I doubt you are allowed to timestamp expired at the moment of timestamp cert (it will never be valid IMHO).

P.S. You are allowed to do it :( Nvidia does it. And as I said it is invalid, but skipped by Windows 10, but is recognized as bad by virtualbox.