Authenticode的替代时间戳服务 [英] Alternative timestamping services for Authenticode
问题描述
我们为所有生产版本执行代码签名和时间戳。有时(通常是当我们要进行RTM(!)时)在Verisign( http:/ /timestamp.verisign.com/scripts/timstamp.dll )决定间歇性地脱机。
We perform code signing and timestamping for all our production builds. Occasionally (usually when we are about to RTM (!)) the timestamp server at Verisign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline intermittently.
在这种情况下我们应该怎么做?
What should we do in this case?
- 时间戳服务器是否必须由
托管您的根证书颁发机构? - 是否存在如果其他任何网络托管的时间戳服务器关闭,我们可以使用
代替Verisign吗?欢迎其他高可用性和免费替代方案的建议:)
- Does the timestamp server have to be hosted by your root certification authority?
- Are there any other network-hosted timestamp servers we could use instead of Verisign if their server is down? Suggestions for other highly available and free alternatives are welcome :)
推荐答案
<我使用下面的批处理文件,该文件最多可循环300次。有两个参数,%1是包含批处理文件pfx文件和signtool.exe的文件夹的路径。 %2是要签名的文件的完整路径。您可以在Visual Studio发布后事件中使用 $(SolutionDir)thirdparty\signing\sign.bat, $(SolutionDir)thirdparty\signing, $(TargetPath)
来调用此操作。我已修改此批处理文件,以在每次迭代中使用不同的时间戳服务器。目前,它使用Comodo,Verisign,GlobalSign和Starfield。希望这是The Ultimate Signing Script;)
I use the following batch file which loops a max of 300 times. There are two arguments, %1 is the path to a folder containing the batch file, pfx file and signtool.exe. %2 is the full path to the file being signed. You can call this in your visual studio post build event with something like call "$(SolutionDir)thirdparty\signing\sign.bat" "$(SolutionDir)thirdparty\signing" "$(TargetPath)" I have modified this batch file to use different timestamp servers in each iteration. Currently it uses Comodo, Verisign, GlobalSign and Starfield. Hopefully this is The Ultimate Signing Script ;)
@echo off
REM create an array of timestamp servers...
set SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
%1\signtool.exe sign /f %1\comodo.pfx /p videodigital %2
set timestampErrors=0
for /L %%a in (1,1,300) do (
for %%s in %SERVERLIST% do (
REM try to timestamp the file. This operation is unreliable and may need to be repeated...
%1\signtool.exe timestamp /t %%s %2
REM check the return value of the timestamping operation and retry a max of ten times...
if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
echo Signing failed. Probably cannot find the timestamp server at %%s
set /a timestampErrors+=1
)
REM wait 2 seconds...
choice /N /T:2 /D:Y >NUL
)
REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0
我还放了 http://timestamp.comodoca.com 放入受信任的网站(感谢文斯)。我认为这可能是重要的一步。我也在PC上更新了根证书。
I also put http://timestamp.comodoca.com into the trusted sites (thanks Vince). I think that may be an important step. I updated the root certificates on the PC too.
这篇关于Authenticode的替代时间戳服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!