Code signing with SHA-256 digest and RFC 3161 timestamp under Windows 7

Hello,

We are currently using PB 3.5.1 and need to be able to digitally sign our packages using SHA-256 and RFC 3161 timestamp. For some reasons, our build server must run under Windows Server 2008 R2 (i.e. Windows 7). In the PB documentation I read the following statement:

“By default, time stamping using RFC 3161 is automatically selected on Windows 8 or higher for SHA-2 signatures.”

Under Windows 7, when forcing package signing with an SHA-256 digest, the Authenticode-compatible timestamp server is used, not the RFC 3161 one (by the way, there is a mistype in that doc topic - “Digitam Signature Timestamp” instead of “Digital Signature Timestamp” ).

Is there a way to force an RFC 3161 timestamping server when signing under Windows 7?

Kind Regards,

JFC

Unfortunately no, because the Windows API necessary to deal with an RFC 3161 timestamping server are only available starting from Windows 8 or higher.
Thanks for the tipo in the doc. This will be fixed in next update.

I read that PB is using GSignCode, which I don’t know, for code signing. Actually, we are using SignTool from the WDK to sign our drivers. Here is what can be done according to the WDK version:

1. With SignTool from WDK 7.1:

• SHA-1 code signing with Authenticode timestamping works under Windows 7 & later
• SHA-256 code signing with RFC 3161 timestamping works under Windows 7 & later
• Dual-signing for SHA-1 and SHA-256 is not supported by that version of the tool

1. With SignTool from WDK 8 & later:

• SHA-1 code signing with Authenticode timestamping works under Windows 7 & later
• SHA-256 code signing with RFC 3161 timestamping works under Windows 8 & later (a crash occurs under Windows 7)
• Dual-signing for SHA-1 and SHA-256 works under Windows 8 & later

Our use-case is the bold one. It thus looks like this is more a limitation in the code-signing tool. Is there a way to work around this?

SignTool probably uses its own API on Windows 7 but GSignCode won’t be able to deal with SHA-256 code signing on Windows 7. Maybe you can use a batch file to call SignTool after the creation of the package?