[openssl-users] in the department of "ain't no perfect"

[Charles Mills]

Leaping into something where I really don't know what I am talking about, does not code signing do that routinely? I can install software signed with a certificate that has expired, provided it had not expired when the code was signed.

Does that help, or it is just useless chatter about something you already knew?

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Eliot Lear
Sent: Tuesday, January 15, 2019 7:29 AM
To: openssl-users at openssl.org
Subject: [openssl-users] in the department of "ain't no perfect"

I realize things haven't been made easy to do this on purpose, and that there's even a comment in one of the man pages to that effect, but here goes...

I have an application that requires long-lived signatures, perhaps long past the point where the signer's cert has expired.  I'd like a way to extract the signature date from a CMS structure.  With all the opaque structs that have been introduced in the last few releases, it's not clear to me how to do that.  Any examples or guidance (other than don't do that)?