5

I'm using signtool.exe on Windows to code sign with a SHA256 signature.

The only example I see (from Symantec) shows using:

http://timestamp.geotrust.com/tsa

..as the time server.

E.g.: signtool.exe sign /a /s MY /n "Common name" /as /fd sha256 /tr http://timestamp.geotrust.com/tsa /v "<file to be signed>"

But I'm wondering if there are other publicly supported RFC 3161 timestamp servers that will also work.

I'm asking because we had previously built redundancy into our code signing process when using SHA1 by having a few different servers (and multiple retry attempts + delays). This helped resolve very occasional but annoying build failures.

I want to do the same when code signing with SHA256.

Daniel
  • 8,794
  • 4
  • 48
  • 71

1 Answers1

3

Found this additional RFC 3161 timeserver:

http://timestamp.comodoca.com/rfc3161

Source: http://zabkat.com/blog/code-signing-sha1-armageddon.htm

Daniel
  • 8,794
  • 4
  • 48
  • 71
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/low-quality-posts/10792833) – Guy Coder Jan 06 '16 at 12:55
  • @GuyCoder I answered my own question (several days after posting since no one else answered and I finally found 1 answer), and it actually does answer the question. – Daniel Jan 06 '16 at 15:55
  • Short answers, especially ones that are basically a link, are discouraged at StackOverflow. I agree that is a meaningful answer to you. Could you provide some of the details from the link in the answer so that others do not have to track down the details. This is also desirable in case the link rots. I recently had to remove a link to an answer of mine that now requires a password to access the document. In hind site I wish I did add more of the details from the link in my answer.Thanks. – Guy Coder Jan 06 '16 at 16:01
  • 1
    @GuyCoder I changed the answer because the old URL did not work properly. In any case, I wanted to clarify why it's appropriate for the answer to just be a URL (note I'm not using the word "link"). A timestamp server URL is not a link to a web page; it's a service that does timestamping. You can't browse content at this URL. I appreciate the value of avoiding "link-only" answers, but in my opinion, this guidance is not appropriate in this very specific case. I referenced the Source web site because this is where I found it. But there's no relevant content at this source to copy here. – Daniel Jan 08 '16 at 19:15