We are currently using PB 3.5.1 and need to be able to digitally sign our packages using SHA-256 and RFC 3161 timestamp. For some reasons, our build server must run under Windows Server 2008 R2 (i.e. Windows 7). In the PB documentation I read the following statement:
“By default, time stamping using RFC 3161 is automatically selected on Windows 8 or higher for SHA-2 signatures.”
Under Windows 7, when forcing package signing with an SHA-256 digest, the Authenticode-compatible timestamp server is used, not the RFC 3161 one (by the way, there is a mistype in that doc topic - “Digitam Signature Timestamp” instead of “Digital Signature Timestamp” ;)).
Is there a way to force an RFC 3161 timestamping server when signing under Windows 7?
Unfortunately no, because the Windows API necessary to deal with an RFC 3161 timestamping server are only available starting from Windows 8 or higher.
Thanks for the tipo in the doc. This will be fixed in next update.
SignTool probably uses its own API on Windows 7 but GSignCode won’t be able to deal with SHA-256 code signing on Windows 7. Maybe you can use a batch file to call SignTool after the creation of the package?