I’d like to explore the argument that code signing is a time bomb more thoroughly. The purpose, as I understand it is to confirm that yes I (the private key owner) did in fact write this code. Once a certificate expires OR is revoked the certificate validating the code is no longer trustworthy. Being as the certificate is no longer trustworthy the code cannot be validated in that way.
Certificates can be revoked for many reasons, and yes this could be abused by a CA but at some point you have to trust someone or compile it yourself… If you’re paranoid enough to review every piece of code and compile it yourself you would not be affected by this, so you already are trusting the CA.
The intent of this system is to allow anyone in the chain to say “hey my piece was compromised don’t trust anything from me until it’s fixed with a new cert”. In this case the CA cert expired and the certs issued by said expired CA were no longer to be trusted because of that expiration. This worked as designed.
This is my, abridged and possibly flawed, understanding so please do not take it as gospel and know that I will be very appreciative of being provided with new information.
With that said, what do you propose as a better solution?