Why should we set a timestamp when we do a codesigning?

Question

If I set a timestamp with signing, what happens?
What if I don\'t set?

Is it essential? Why is it recommended?

Answer 1

If the signing certificate expires and there's no timestamp, there's no way to verify that the signature was made at a time when the certificate was valid, so previously signed code may just "stop working".

Timestamping involves a third party (usually your CA) attesting that you made the signature at a particular time. Regardless of when your certificate expires, somebody receiving the signed code can then verify that your certificate was valid at the time you signed it.