Authenticode的替代时间戳服务 [英] Alternative timestamping services for Authenticode

问题描述

我们为所有生产版本执行代码签名和时间戳。有时（通常是当我们要进行RTM（！）时）在Verisign（ http：/ /timestamp.verisign.com/scripts/timstamp.dll ）决定间歇性地脱机。

We perform code signing and timestamping for all our production builds. Occasionally (usually when we are about to RTM (!)) the timestamp server at Verisign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline intermittently.

在这种情况下我们应该怎么做？

What should we do in this case?

• 时间戳服务器是否必须由
  托管您的根证书颁发机构？


• 是否存在如果其他任何网络托管的时间戳服务器关闭，我们可以使用
  代替Verisign吗？欢迎其他高可用性和免费替代方案的建议：）

• Does the timestamp server have to be hosted by your root certification authority?
• Are there any other network-hosted timestamp servers we could use instead of Verisign if their server is down? Suggestions for other highly available and free alternatives are welcome :)

推荐答案

<我使用下面的批处理文件，该文件最多可循环300次。有两个参数，％1是包含批处理文件pfx文件和signtool.exe的文件夹的路径。 ％2是要签名的文件的完整路径。您可以在Visual Studio发布后事件中使用 $（SolutionDir）thirdparty\signing\sign.bat， $（SolutionDir）thirdparty\signing， $（TargetPath）
来调用此操作。我已修改此批处理文件，以在每次迭代中使用不同的时间戳服务器。目前，它使用Comodo，Verisign，GlobalSign和Starfield。希望这是The Ultimate Signing Script;）

I use the following batch file which loops a max of 300 times. There are two arguments, %1 is the path to a folder containing the batch file, pfx file and signtool.exe. %2 is the full path to the file being signed. You can call this in your visual studio post build event with something like call "$(SolutionDir)thirdparty\signing\sign.bat" "$(SolutionDir)thirdparty\signing" "$(TargetPath)" I have modified this batch file to use different timestamp servers in each iteration. Currently it uses Comodo, Verisign, GlobalSign and Starfield. Hopefully this is The Ultimate Signing Script ;)

@echo off    

REM create an array of timestamp servers...
set SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

REM sign the file...
%1\signtool.exe sign /f %1\comodo.pfx /p videodigital %2

set timestampErrors=0

for /L %%a in (1,1,300) do (

    for %%s in %SERVERLIST% do (

        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        %1\signtool.exe timestamp /t %%s %2

        REM check the return value of the timestamping operation and retry a max of ten times...
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded

        echo Signing failed. Probably cannot find the timestamp server at %%s
        set /a timestampErrors+=1
    )

    REM wait 2 seconds...
    choice /N /T:2 /D:Y >NUL
)

REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1

:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0

我还放了 http://timestamp.comodoca.com 放入受信任的网站（感谢文斯）。我认为这可能是重要的一步。我也在PC上更新了根证书。

I also put http://timestamp.comodoca.com into the trusted sites (thanks Vince). I think that may be an important step. I updated the root certificates on the PC too.

这篇关于Authenticode的替代时间戳服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！