I'm not sure I understand. It doesn't matter if the consumer of the certificate is able to set their clock to make the certificate/signature valid because most people don't do that, but if the producer of the signature can simply set their clock to produce a signature/timestamp combination that's considered valid by a consumer regardless of their clock, then what's the point of expiring the certificate?
It gets timestamped by the certificate authority, using their authorized servers. For example, I have a code-signing certificate issued by Comodo, and when I sign my software, it get timestamped by: http://timestamp.comodoca.com
Yes I should have been more clear. A user which wants to run a signed executable with expired certificate can trick the validation process on his machine by setting the system clock back into the valid period.
But for the code-signer this trick doesn't work, the sign-tool needs to talk to a time-stamp server, usually owned by a certificate authority. I know that the Microsoft signtool.exe and the Java jarsigner can use timestamps, apparently on OSX this works too (search for --timestamp cmdline arg: https://developer.apple.com/library/mac/documentation/Darwin...)
But yeah, it looks like Microsoft countersigns, assuming this is what that original comment was referring to: https://msdn.microsoft.com/en-us/library/windows/desktop/bb9...