ralphje · TheDoctor0 · Jun 25, 2020 · Jun 25, 2020
diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,5 @@
+git+https://github.com/wbond/certvalidator@74ae7a8#egg=certvalidator==0.12.0.dev1
 pyasn1
-certvalidator
 asn1crypto
 oscrypto
 pyasn1-modules

diff --git a/signify/context.py b/signify/context.py
@@ -243,7 +243,7 @@ def verify(self, certificate):
         timestamp = self.timestamp
         context = ValidationContext(
             trust_roots=list(trust_roots),
-            moment=timestamp,
+            moment=timestamp if not self.allow_fetching else None,
             weak_hash_algos=set() if self.allow_legacy else None,
             revocation_mode=self.revocation_mode,
             allow_fetching=self.allow_fetching,

diff --git a/tests/test_authenticode.py b/tests/test_authenticode.py
@@ -137,6 +137,14 @@ def test_3a7de393a36ca8911cd0842a9a25b058_valid_different_contenttype(self):
             pefile = SignedPEFile(f)
             pefile.verify()
 
+    def test_3a7de393a36ca8911cd0842a9a25b058_valid_with_crl_fetching(self):
+        """works when timestamp is defined and CRL fetching enabled"""
+        with open(str(root_dir / "test_data" / "3a7de393a36ca8911cd0842a9a25b058"), "rb") as f:
+            pefile = SignedPEFile(f)
+            pefile.verify(verification_context_kwargs=
+                          {'timestamp': datetime.datetime(2019, 1, 1, tzinfo=datetime.timezone.utc),
+                           'allow_fetching': True, 'revocation_mode': 'hard-fail'})
+
     def test_solwarwinds_valid_countersignature_rfc3161(self):
         """Solarwinds includes a 1.3.6.1.4.1.311.3.3.1 type countersignature"""
         with open(str(root_dir / "test_data" / "SolarWinds.exe"), "rb") as f: