GPG4win and Kleopatra use local machine time for digital signatures, but those times are not credible. Request that signatures use GMT time retrieved from a secure time server, such as:
to provide irrefutable signature time. Optionally include local time for convenience.
I don’t think that this will happen. OpenPGP is decentralized / offline able by design. Using a signed timestamp would introduce a centralized element and require an online connection. So the signature time is at the discretion of the signer and can be faked.
But the signature timestamp is nowhere used as a security feature AFAIK. It’s just informative.
This is also nothing Gpg4win could change. Including timestamps signed by a third party would need a change to the OpenPGP standard to be interoperable.
Hi Bill,
in addition to what Andre wrote:
OpenPGP already saves the time in UTC, see RFC4880:
3.5. Time Fields
A time field is an unsigned four-octet number containing the number
of seconds elapsed since midnight, 1 January 1970 UTC.
Best Regards,
Bernhard