Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
538 views
in Technique[技术] by (71.8m points)

timestamp - Alternative timestamping services for Authenticode

We perform code signing and timestamping for all our production builds. Occasionally (usually when we are about to RTM (!)) the timestamp server at Verisign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline intermittently.

What should we do in this case?

  • Does the timestamp server have to be hosted by your root certification authority?
  • Are there any other network-hosted timestamp servers we could use instead of Verisign if their server is down? Suggestions for other highly available and free alternatives are welcome :)
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I use the following batch file which loops a max of 300 times. There are two arguments, %1 is the path to a folder containing the batch file, pfx file and signtool.exe. %2 is the full path to the file being signed. You can call this in your visual studio post build event with something like call "$(SolutionDir)thirdpartysigningsign.bat" "$(SolutionDir)thirdpartysigning" "$(TargetPath)" I have modified this batch file to use different timestamp servers in each iteration. Currently it uses Comodo, Verisign, GlobalSign and Starfield. Hopefully this is The Ultimate Signing Script ;)

@echo off    

REM create an array of timestamp servers...
set SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

REM sign the file...
%1signtool.exe sign /f %1comodo.pfx /p videodigital %2

set timestampErrors=0

for /L %%a in (1,1,300) do (

    for %%s in %SERVERLIST% do (

        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        %1signtool.exe timestamp /t %%s %2

        REM check the return value of the timestamping operation and retry a max of ten times...
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded

        echo Signing failed. Probably cannot find the timestamp server at %%s
        set /a timestampErrors+=1
    )

    REM wait 2 seconds...
    choice /N /T:2 /D:Y >NUL
)

REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1

:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0

I also put http://timestamp.comodoca.com into the trusted sites (thanks Vince). I think that may be an important step. I updated the root certificates on the PC too.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...