Authenticode 的替代时间戳服务 [英] Alternative timestamping services for Authenticode

问题描述

我们为所有生产版本执行代码签名和时间戳.有时(通常当我们要 RTM(！)时)Verisign 的时间戳服务器 ("http://timestamp.verisign.com/scripts/timstamp.dll") 决定间歇性下线.

We perform code signing and timestamping for all our production builds. Occasionally (usually when we are about to RTM (!)) the timestamp server at Verisign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline intermittently.

在这种情况下我们应该怎么做?

What should we do in this case?

• 时间戳服务器是否必须由您的根证书颁发机构?
• 还有其他我们可以使用的网络托管时间戳服务器吗如果他们的服务器关闭，而不是 Verisign?欢迎提出其他高可用性和免费替代方案的建议:)

• Does the timestamp server have to be hosted by your root certification authority?
• Are there any other network-hosted timestamp servers we could use instead of Verisign if their server is down? Suggestions for other highly available and free alternatives are welcome :)

推荐答案

我使用以下批处理文件，它最多循环 300 次.有两个参数，%1 是包含批处理文件、pfx 文件和 signtool.exe 的文件夹的路径.%2 是被签名文件的完整路径.您可以在 Visual Studio 后期构建事件中调用它，例如 call "$(SolutionDir)thirdpartysigningsign.bat" "$(SolutionDir)thirdpartysigning" "$(TargetPath)"我已修改此批处理文件以在每次迭代中使用不同的时间戳服务器.目前它使用 Comodo、Verisign、GlobalSign 和 Starfield.希望这是终极签名脚本；)

I use the following batch file which loops a max of 300 times. There are two arguments, %1 is the path to a folder containing the batch file, pfx file and signtool.exe. %2 is the full path to the file being signed. You can call this in your visual studio post build event with something like call "$(SolutionDir)thirdpartysigningsign.bat" "$(SolutionDir)thirdpartysigning" "$(TargetPath)" I have modified this batch file to use different timestamp servers in each iteration. Currently it uses Comodo, Verisign, GlobalSign and Starfield. Hopefully this is The Ultimate Signing Script ;)

@echo off    

REM create an array of timestamp servers...
set SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

REM sign the file...
%1signtool.exe sign /f %1comodo.pfx /p videodigital %2

set timestampErrors=0

for /L %%a in (1,1,300) do (

    for %%s in %SERVERLIST% do (

        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        %1signtool.exe timestamp /t %%s %2

        REM check the return value of the timestamping operation and retry a max of ten times...
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded

        echo Signing failed. Probably cannot find the timestamp server at %%s
        set /a timestampErrors+=1
    )

    REM wait 2 seconds...
    choice /N /T:2 /D:Y >NUL
)

REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1

:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0

我还将 http://timestamp.comodoca.com 放入受信任的站点(感谢 Vince).我认为这可能是重要的一步.我也更新了 PC 上的根证书.

I also put http://timestamp.comodoca.com into the trusted sites (thanks Vince). I think that may be an important step. I updated the root certificates on the PC too.

这篇关于Authenticode 的替代时间戳服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！