How does one correctly dual-sign code with a timestamp?

Asked 16/12, 2013 at 0:11 Answered 18/7 at 20:41

Solved code-signing code-signing-certificate authenticode verisign

I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. I tried to append the SHA-256 certificate, but this fails:

:: Signs with the SHA-1 certificate
signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
:: Signs with the SHA-2 certificate
signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe

This fails with the error:

Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
        The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: my_app_here.exe

If I remove the timestamp URL from the second command, the signing completes successfully, but the SHA-2 signature has no timestamp. (Whether or not I put a timestamp on the first signature has no effect)

The intent here is to allow someone to verify the app with the stronger certificate if they are on an operating system that supports this, but to avoid failing validation on operating systems that don't support the stronger certificates (Vista, XP).

Is this kind of thing even possible?

Spruill answered 16/12, 2013 at 0:11 Comment(2)

Well, glad to know I am not alone in my need for this... – Headman 19/12, 2013 at 14:52

Did you try /td sha256 /tr ... instead of /t ... for the second signature? – Polyhymnia 4/2, 2014 at 8:35

SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.

The RFC 3161 URL for Symantec/Verisign is:

http://sha256timestamp.ws.symantec.com/sha256/timestamp

If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.

Source:

https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820

Avidity answered 7/12, 2014 at 3:37 Comment(4)

Thank you for explaining "why it doesn't work", other answers I've read miss that part. To make it work, simply replace /t http://timestamp.verisign.com/scripts/timestamp.dll with /tr http://timestamp.geotrust.com/tsa. – Flush 28/7, 2015 at 19:32

GeoTrust server still uses SHA1 digest for the timestamp and what is even worse, their certificate chain terminates in a root certificate with an MD5 digest. If you want SHA256 digest for the timestamp use timestamp.globalsign.com/?signature=sha2 as the URL (specifying /td SHA256 doesn't hurt either). – Allanallana 11/1, 2016 at 0:45

The SHA-256 with RFC 3161 timestamping URL is sha256timestamp.ws.symantec.com/sha256/timestamp – Scenery 17/3, 2016 at 16:30

Apparently they are retiring this timestamp server on 24/7/24and replacing it with timestamp.digicert.com according to an email I just recieved. However the old server appears to still be working – Lesseps 25/7 at 2:18

The timestamp url in the answer will no longer work after 7/24/2024

The latests timestamp URL is:

timestamp.digicert.com
216.168.244.9

Note Explaining:

On July 24, 2024, at 17:00 MDT (23:00 UTC) DigiCert will shut down our legacy Symantec timestamping service. If you or customers use timestamping when signing executables or documents, you may need to change the timestamp URL in your signing tool to the newer DigiCert service, timestamp.digicert.com, before the shutdown occurs.

Conducive answered 18/7 at 20:41 Comment(0)

Recommended topics

Hot tags