11

I have observed that windows executable files show incorrect timestamps when I view them in PE studio. For example this Notepad.exe file shows a compiler timestamp of 0x86FCBD69 (Mon Oct 07 03:45:05 2041 )

To validate this today (3 May 2021),I converted a Python program file to EXE & checked the same in PE Studio. It also showed an incorrect compiler timestamp of 0x5FFEC122 (Wed Jan 13 15:15:06 2021 ) Python executable

Why are compiler timestamps incorrect ? To my understanding if the Python program was converted to exe today, it should show today's date under the compiler timestamp.

Monk
  • 123
  • 1
  • 7

1 Answers1

22

They're deliberately set to a fixed value:

  • The Old New Thing: Why are the module timestamps in Windows 10 so nonsensical?

    One of the changes to the Windows engineering system begun in Windows 10 is the move toward reproducible builds. This means that if you start with the exact same source code, then you should finish with the exact same binary code.

    […]

    Timestamps are another source of non-determinism. Even if all the inputs are identical, the outputs will still be different because of the timestamps. [...] Setting the timestamp to be a hash of the resulting binary preserves reproducibility.

  • The Old New Thing: What does the executable timestamp really mean?

    The name timestamp is misleading. Its real purpose is to act as a signature so that the operating system can determine whether a DLL against which one set of values was precalculated matches the DLL physically on the system. A better name for it would have been "UniqueId".

Note: There are two meanings to the term 'signature' here. Raymond calls the field a "signature" only in the sense of it being something unique that allows distinguishing this binary from other binaries (in the same way that the 'MZ' bytes are a signature for all .exe files). It is however not a cryptographic digital signature and does nothing to ensure the file's integrity or authenticity.

grawity
  • 501,077