SignTool不再可以使用http://timestamp.geotrust.com/tsa吗? [英] Is http://timestamp.geotrust.com/tsa not longer available for SignTool?
问题描述
我们在构建服务器上签署了可执行文件.突然,构建服务器无法构建,并显示以下错误:
SingTool错误:无法访问分隔的时间戳服务器或返回了无效的响应.
将时间戳服务器更改为 http://sha256timestamp.ws.symantec.com/sha256/时间戳,唱歌又奏效了.
- 我们的旧网址是否存在任何问题?为什么不再可用?
- 旧签名文件或新URL可能会遇到一些(安全)问题吗?
我知道这有点广泛,我只是不想错过任何东西...
我询问了Symantec,因此他们向我发送了以下链接:
(旧版)RFC 3161 SHA128时间戳服务:
https://timestamp.geotrust.com/tsa 为支持客户的业务连续性,我们提供了
以下更换服务. (新)RFC 3161服务SHA256:
http://sha256timestamp.ws.symantec.com/sha256/timestamp 重要提示:客户必须充分利用SHA256时间戳记服务
转发,并且除非有旧版,否则不应该使用SHA1服务
平台限制,不允许使用SHA2服务(在此
您可以使用以下新网址的情况:RFC 3161服务SHA128:
http://sha1timestamp.ws.symantec.com/sha1/timestamp ).
影响时间戳记的背景和关键行业授权 服务
遵守发布的代码签名(CSMR)的最低要求 由CA Security Council和Microsoft受信任的根程序要求 (第3.14节),赛门铁克已设置新的" RFC 3161(SHA1和SHA2) 按部分列出的规格和要求提供服务 16.1需要FIPS 140-2 3级密钥保护.在不久的将来,Oracle将采取措施删除对两者的SHA1支持. Java签名和时间戳.这不会影响Java应用程序 之前已用SHA1签名或加盖时间戳的文件,因为这些 继续正常运行.但是,Java应用程序已签名或 在甲骨文宣布的日期之后可能未加上SHA1时间戳 信任.
We sign our executables on the build server. Suddenly the build server failed to build giving the error:
SingTool Error: The sepcified timestamp server either could not be reached or returned an invalid response.
After changing the timestamp server to http://sha256timestamp.ws.symantec.com/sha256/timestamp, singing did work again.
- Are there any issues with our old url? Why is it not available anymore?
- Could we have some (security) issues with the old signed files or the new url?
I know this is a little bit broad I just don't want to miss anything...
I asked Symantec about that, so they sent me this link: https://knowledge.symantec.com/support/partner/index?page=content&id=NEWS10071&viewlocale=en_US
By April 18, 2017, Symantec will decommission the "Legacy" timestamping service.
(Legacy) RFC 3161 SHA128 Timestamp Service: https://timestamp.geotrust.com/tsa
To support business continuity for our customers, we have provided the following replacement services.
(New) RFC 3161 Service SHA256: http://sha256timestamp.ws.symantec.com/sha256/timestamp
Important: Customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn't allow use of SHA2 service (in this case you can use this new URL: RFC 3161 Service SHA128: http://sha1timestamp.ws.symantec.com/sha1/timestamp).
Background and Key Industry Mandates affecting the Timestamping services
To comply with Minimum Requirements for Code Signing (CSMRs) published by CA Security Council and Microsoft Trusted Root Program Requirements (section 3.14), Symantec has set up the "new" RFC 3161 (SHA1 and SHA2) service as per specifications and requirements laid out by section 16.1 which requires FIPS 140-2 Level 3 key protection. In the near future, Oracle will be taking steps to remove SHA1 support for both Java signing and timestamping. This will not impact Java applications that were previously signed or timestamped with SHA1 as these will continue to function properly. However, Java applications signed or timestamped with SHA1 after Oracle's announced date may not be trusted.
这篇关于SignTool不再可以使用http://timestamp.geotrust.com/tsa吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
