6

We are working on optimizing the digital signing process using the signtool.exe digest options. So far the workflow looks like this:

  1. Create the digest on the client: signtool.exe sign /f cert /fd sha256 /dg . MyFile.dll
  2. Send MyFile.dll.dig digest to our signing server.
  3. Sign digest on the signing server: signtool.exe sign /f cert /fd sha256 /ds MyFile.dll.dig
  4. Send the signature MyFile.dll.dig.signed back to the client.
  5. Create signature on the client: signtool.exe sign /di .MyFile.dll
  6. Add a timestamp on the client: signtool.exe timestamp /tr http://some_timestamp_server /td sha256 MyFile.dll

Is there a way to perform timestamping on the signing server?

Alex I
  • 2,078
  • 3
  • 18
  • 24
  • What prevents you from performing the timestamping on the signing server? – Progman Sep 14 '19 at 06:40
  • What is the command? signtool.exe timestamp … MyFile.dll? MyFile.dll is never sent to the signing server. – Alex I Sep 14 '19 at 18:54
  • Why do you not send the MyFile.dll file to the signing server, which will apply the timestamp with the command you wrote in the question? – Progman Sep 14 '19 at 19:14
  • Because of the file size. It could be hundreds of megabytes. While .dig and .deg.signature files are really small, under 1K. – Alex I Sep 16 '19 at 04:52
  • When I try to replicate this locally it would seem that I need a p7u file that is created at step 1. Do you have the same behavior? – DaWNFoRCe Dec 12 '19 at 09:10
  • @AlexI Right after 1st step, I do see digital signature tab in the properties panel of MyFile.dll. Is that normal? I was expecting the tab be visible after the last step. – videoguy Dec 11 '22 at 20:03

1 Answers1

1

Is there a way to perform timestamping on the signing server?

No, not without transferring the entire file to your signing server. The timestamping is an operation applied directly to the file itself, so the file must exist locally. Your remote signing service only works because only the digest needs to be signed, not the full binary. However, as you pointed out you still need to ingest the signed digest locally using the /di signtool option.

What you can do is create a custom tool to programmatically sign and timestamp a file according to your requirements. See this Microsoft article for how to use SignerSignEx2 function which supports timestamping.
https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-programmatically-sign-a-package?redirectedfrom=MSDN

You've may have already seen this, but I would also look at the AzureSignTool repo which uses the undocumented SignerSignEx3 function to perform the signing using a callback. You could reasonably replace the Azure functionality with a call to some other custom signing service.

Dan
  • 1,805
  • 2
  • 18
  • 21
  • When I try to replicate this locally it would seem that I need a p7u file that is created at step 1. Do you have the same behavior? I assume this file contains the certificates in PKCS7 and then the .signed file contains the signature in Base64. Would the last step be only merging them both? – DaWNFoRCe Dec 12 '19 at 09:11
  • I don't believe the .p7u file is needed, I'm not entirely sure what you're asking though. Are you referring to the time stamping as the last step? – Dan Dec 12 '19 at 21:29
  • Actually, the ingest step: signtool.exe sign /di .MyFile.dll. If you erase the p7u file from the directory where MyFile.dll then you will get an error from the signtool – DaWNFoRCe Dec 13 '19 at 09:14
  • so yeah.. what does this .p7u has.. and why is it important? anybody? – DaWNFoRCe Dec 19 '19 at 12:12