60

I was trying to build my setup scripts with Inno Setup these past two days (1 & 2 Jan 2021) and the digital signing was failing. So I contacted Verisign via email and await their response.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Andrew Truckle
  • 17,769
  • 16
  • 66
  • 164

2 Answers2

91

I received an official response from Verisign this afternoon (on 2 Jan 2021):

Thank you for contacting Verisign Support.

This server was deprecated after our authentication services were sold to Symantec, which is now Digicert. You can find a list of free timestamp servers online or theirs is now at http://timestamp.digicert.com.

If you have additional questions, please do not hesitate to contact us.

So the http://timestamp.verisign.com timestamp server is no more.

At the moment I know of the following alternatives (in addition to Digicert above) which work well:

  • http://timestamp.comodoca.com/authenticode
  • http://timestamp.globalsign.com/scripts/timestamp.dll
  • http://tsa.starfieldtech.com
Andrew Truckle
  • 17,769
  • 16
  • 66
  • 164
  • 2
    I wasn't able to find any public posts about this. Did they point you to any deprecation announcements? It seems like this was completely announced. – AlannaRose Jan 04 '21 at 22:03
  • 3
    @AlannaRose No, I emailed their support and I copy / pasted their response to me. – Andrew Truckle Jan 04 '21 at 22:04
  • 3
    Note about http://timestamp.comodoca.com/authenticode : I stopped using that one in June 2020 because it started generating broken timestamps, I believe due to an expired root certificate. – Wim Coenen Jan 07 '21 at 16:51
  • 4
    Another note about http://tsa.starfieldtech.com: this one does not seem reliable, I think it bans IP that do "too much" signing. – Wim Coenen Jan 11 '21 at 09:03
  • 1
    Tried pinging the timestamp.digicert.com today and got Request timed out. timestamp.globalsign.com appears to be alive. – KermitG Feb 11 '21 at 12:00
  • 2
    Another one you can use is `http://timestamp.sectigo.com` (see https://sectigo.com/resource-library/time-stamping-server for details) – jcaron May 24 '21 at 09:46
  • Regarding ping: *The timestamping server will not respond to any other network probes (such as a ping or a tracert.)*. This is from https://knowledge.digicert.com/solution/SO912.html – Palle Due Jun 29 '22 at 12:29
  • Even I am getting this below, is this down ? Failed to convert timestamp reply from http://timestamp.comodoca.com/authenticode; HTTP status 404 – JDGuide Jan 27 '23 at 09:16
  • 1
    @JDGuide when I clicked that link it redirected to: https://sectigo.com/resource-library/time-stamping-server. Did you see the comment dated Jan 7, 2021 by WimCoenen ? – Andrew Truckle Jan 27 '23 at 13:56
32

When using Microsoft's SignTool.exe

Change the timestamping server (-t):

  • Before: signcode -t "http://timestamp.verisign.com/scripts/timstamp.dll" (defunct)
  • After:    signcode -t "http://timestamp.digicert.com"
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • If someone was already signing their executables they would surely know how to change the server used for the timestamp? – Andrew Truckle Jan 06 '21 at 18:53
  • 9
    @AndrewTruckle Exactly. And in order to help along the process, and since stackoverflow is also a wiki, i'm providing the information to others to help them along. No reason they have to suffer through remembering all these details that they laid down in a `.cmd` file 17 years ago and haven't thought about since. – Ian Boyd Jan 06 '21 at 18:56
  • 1
    Fair enough. Then you might want to flesh your answer out with a direct link to teh SignTool documentation at Microsoft: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool Up to you! – Andrew Truckle Jan 06 '21 at 19:05
  • 3
    @IanBoyd This was a life saver. The 'someone' left the company and left no instructions. The server that had the data crashed and there were no backups. Two groups thought the other group was responsible for backups. So I was left with black hole. – Ryan Buton Jan 28 '21 at 16:42