According to the proposal, the maximum validity period for publicly trusted code signing certificates will be significantly shortened from the current 39 months (approximately 3 years and 3 months) to 460 days (approximately 15 months). This means that the certificate management cycle for developers and enterprises will undergo a major change.
According to the official announcement, the voting phase for CSC-31, the proposal to shorten the maximum validity period, has concluded and has been passed.
Certificate Issuers:
9 votes in total: 7 in favor (Asseco Data Systems SA (Certum), DigiCert, eMudhra, HARICA, IdenTrust, Sectigo, SSL.com), 0 against, 2 abstentions (Actalis, GlobalSign)
Certificate Consumers:
1 vote in total: Microsoft voted in favor
In accordance with the CA/B Forum bylaws, this vote has met all validity conditions and is now in effect. The proposal has entered the IP Rights Review Period and is expected to be formally incorporated into industry baseline requirements after the review period concludes.
This move continues the industry trend of increasingly shorter digital certificate lifecycles in recent years. From TLS/SSL to code signing, the entire trust system is accelerating towards a new stage of "short cycle and high automation".
Code signing certificates are a core security mechanism for ensuring trusted software distribution, used to verify the authenticity of code origins, content integrity, and distribution credibility. However, with increasingly frequent supply chain attacks, the security vulnerabilities posed by long-term certificates are gradually becoming apparent.
Shortening certificate validity helps to:
Improve security: Shorter lifecycles allow for the rapid revocation of compromised certificates, reducing long-term risk exposure;
Strengthen compliance: More frequent updates ensure configurations meet the latest security standards and industry requirements;
Drive automation: Enterprises need to build automated issuance and update mechanisms, deeply integrating the signing process into CI/CD pipelines.
This shortening of certificate validity is not merely an adjustment to management rules, but a profound restructuring of the software supply chain trust system.
Moving towards high-frequency automation and building a "dynamic, short-term, and verifiable" agile trust ecosystem will become the new direction for the industry.
When developers and enterprises actively embrace this trend, it also means they are firmly grasping future security competitiveness.
