PDA

View Full Version : Better Comodo URL for CodeSign - h t t p : / / timestamp.comodoca.com/rfc3161



MarkGoldberg
02-03-2016, 10:53 AM
I found that appending /rfc3161 to the timestamp url works well for SHA2 (see thread title)

http://timestamp.comodoca.com/rfc3161

I figured that out before I stumbled across the following #pragmas
CODESIGN_SHA
CODESIGN_TSTYPE
CODESIGN_TSSHA1URL

https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server
Talks about how Authenticode is older and I had poor luck adding ?td=sha256 to the URL

I was able to have success at the command line with using switches found here https://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396
but I wasn't able to get SB to use those switches, even when i tried "sql injection"... err "command switch injection" techniques inside of SB.


After some confirmation, possibly this can be documented and the URL added to the default list of URLs in SB.

linder
02-03-2016, 12:54 PM
Mark,

http://timestamp.comodoca.com/rfc3161 is already a pre-defined timestamp server in SetupBuilder 10.

The following pragmas are working fine when using the above timestamp. The resulting file is perfectly SHA-2 signed and COMODO SHA-256 timestamped.

#pragma CODESIGN_SHA = "2"
#pragma CODESIGN_TSTYPE = "1"

I can post screenshots if you want.

Friedrich

linder
02-03-2016, 01:00 PM
BTW, and using this as "main" SHA-2 timestamp server for dual SHA-1/SHA-2 signing:

http://timestamp.comodoca.com/rfc3161

and these pragmas in the script:

#pragma CODESIGN_SHA = "12"
#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

creates a perfectly valid (dual) SHA-1 signature including Comodo SHA-1 timestamp and SHA-2 signature including SHA-2 timestamp.

Tested on Windows 10 with the latest SignTool.exe version 10.

Friedrich