VerificationError for expired certificate even though there's a valid countersignature

[MrCrumbs]

In the following sample the SolarWinds certificate is valid to ‎Friday, ‎February ‎7, ‎2020 2:59:59 AM, however Windows accepts this as a valid signature, because there's a countersignature (Symantec SHA256 TimeStamping Signer - G3) that is valid and was signed on ‎Monday, ‎August ‎26, ‎2019 5:52:39 PM.

For some reason, Signify fails to verify the signature, saying that it expired, even though there's a valid countersignature:

VerificationError: Chain verification from CN=Solarwinds Worldwide\, LLC, O=Solarwinds Worldwide\, LLC, L=Austin, ST=Texas, C=US(serial:156211740539252461235167966181669418108) failed: The path could not be validated because the end-entity certificate expired 2020-02-06 23:59:59Z

I might be missing something, so please feel free to explain and close the issue if this is expected behavior. Thanks!

Sample:
SolarWinds MSP Patch Management Engine Setup.zip

[ralphje]

You are correct. The timestamp is present in the unauthenticated attributes with OID 1.3.6.1.4.1.311.3.3.1. This appears to be a RFC3161 response, which is included in Microsoft's own namespace. I'll look into this.