Reputation: 2400
Signtool.exe /dg /ds /di options and timestamping
We are working on optimizing the digital signing process using the signtool.exe digest options. So far the workflow looks like this:
- Create the digest on the client: signtool.exe sign /f cert /fd sha256 /dg . MyFile.dll
- Send MyFile.dll.dig digest to our signing server.
- Sign digest on the signing server: signtool.exe sign /f cert /fd sha256 /ds MyFile.dll.dig
- Send the signature MyFile.dll.dig.signed back to the client.
- Create signature on the client: signtool.exe sign /di .MyFile.dll
- Add a timestamp on the client: signtool.exe timestamp /tr http://some_timestamp_server /td sha256 MyFile.dll
Is there a way to perform timestamping on the signing server?
Upvotes: 7
Views: 2470
Answers (2)
Reputation: 1918
I learnt this hard way after so many trial and errors. For those who land here, here is the answer. You don't need signing cert private key on system where you are time stamping. Once a file has signature, you can invoke signtool with timestamp option. It will add time stamp for the signature.
Upvotes: 0
Reputation: 2165
Is there a way to perform timestamping on the signing server?
No, not without transferring the entire file to your signing server. The timestamping is an operation applied directly to the file itself, so the file must exist locally. Your remote signing service only works because only the digest needs to be signed, not the full binary. However, as you pointed out you still need to ingest the signed digest locally using the /di signtool option.
What you can do is create a custom tool to programmatically sign and timestamp a file according to your requirements. See this Microsoft article for how to use SignerSignEx2 function which supports timestamping.
https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-programmatically-sign-a-package?redirectedfrom=MSDN
You've may have already seen this, but I would also look at the AzureSignTool repo which uses the undocumented SignerSignEx3 function to perform the signing using a callback. You could reasonably replace the Azure functionality with a call to some other custom signing service.
Upvotes: 1
Related Questions
- Get Signing time(time stamp) of a digital Signature using powershell
- Delphi: how to do digital signature with timestamp of files?
- C# Add Timestamp to PKCS#7 CMS Digital Signature problem
- Signed pdf missing timestamp from timestamp server
- signtool.exe set proxy for timestamp
- Digital signature timestamp "not available" on XP/Vista, causing verification failure
- Why url is required for timestamping when signing the code
- Why do I need to specify a timestamp server when using SignTool for code signing?
- How do you timestamp code-signed Dotnet assemblies?
- How do I add a timestamp when digitally signing a file in C#?