I'm trying to use CODESIGN_SHA = "12" for hybrid SHA-1/SHA-2 signing. I'm
using signtool.exe 6.3.9600.17298 from windows 8.1 SDK.

I tested using the command line, and it works fine for both algorithms, but
for SHA1 timestamping I must use server
http://timestamp.comodoca.com/authenticode, and for SHA2, server
http://timestamp.comodoca.com/rfc3161

In SB8 I can only configure one timestamp URL, so I can only successfully
sign code with SHA1 or SHA2, not both.

Is there a way to specify both timestamp urls in SB8? Or is my only option
to disable rfc3161 using CODESIGN_TSTYPE?

Carlos Gutierrez

I set CODESIGN_SHA = 12
CODESIGN_TSTYPE = 1

and use http://timestamp.globalsign.com/scripts/timestamp.dll

Dual-signs without problem.

jf

Hi Jane

>I set CODESIGN_SHA = 12 CODESIGN_TSTYPE = 1 and use
>http://timestamp.globalsign.com/scripts/timestamp.dll

Thanks, that worked for me too, but it means using a SHA1 signature with a
3161 timestamp. Older windows version can't read 3161 timestamps (at least a
WinXPsp3 VM I had handy couldn't). This defeats the purpose of using
SHA1/SHA2 hybrid signing.

With these two command, a timestamp can be read in both old (tested with the
same XP VM) and new Windows versions:

signtool.exe sign /f "test.pfx" /p "....." /du "http://test.mx" /d "Test "
/t "http://timestamp.comodoca.com/authenticode" /v "test.exe"

signtool.exe sign /as /fd sha256 /f "test.pfx" /p "....." /du
"http://test.mx" /d "Test" /tr "http://timestamp.comodoca.com/rfc3161" /td
sha256 /v "test.exe"

It would be great if SB could do the same.

Carlos Gutierrez

Hi Friedrich

I guess you were busy with your new site (looks great, BTW,
contratulations!). If you have a few minutes, I'll appreciate your comments
on this.

Best regards,

-- Carlos Gutiérrez

Hi Carlos,

Sorry for my late reply. The "new website" project slowed things down here.
I hate that :-(

I'll look into this and get back to you.

Friedrich

Hi Carlos,

When doing dual-sign code with a timestamp, the next SB version supports
Authenticode Time-Stamp Authority (for SHA-1) and RFC 3161 Time-Stamp
Authority (for SHA-2).

Friedrich

> the next SB version supports Authenticode Time-Stamp Authority (for SHA-1)
> and RFC 3161 Time-Stamp Authority (for SHA-2).

Thanks!

Carlos Gutierrez

This is how SetupBuilder 10 can handle dual SHA-1/SHA-2 code signing using
Microsoft Authenticode compatible time stamp and RFC 3161 compliant trusted
time stamp servers.

Important: this does NOT work in SetupBuilder 8.5 !!!

Friedrich

Nice !!

Jane Fleming

>This is how SetupBuilder 10 can handle dual SHA-1/SHA-2 code signing

Perfect, thanks!

Carlos Gutierrez