It takes more than the signing date to assert validity at the time of signing rather than at the time of checking.

This means that these signatures tend to expire when the code signing certificate or the CA itself expires.

That's why you get a timestamp countersignature; that's what the person you're replying to is talking about. They are absolutely correct. This is standard practice. Signed executables on Windows DO NOT lose trust when the certificate expires as long as they are cryptographically timestamped.

https://learn.microsoft.com/en-us/windows/win32/seccrypto/ti...

My first code signing certificate from long ago is already expired; the signed executables under that certificate are still trusted by Windows.