When signing a cab with a sha256 EV certificate we wanted to also use a sha256 timestamp. When trying with the comodo (where we got the EV cert) server we tried:
/tr http://timestamp.comodoca.com/?td=sha256 /td sha256
and
/tr http://timestamp.comodoca.com/rfc3161 /td sha256
in both cases, the cab signed okay, looking at the certificate it shows the full chain and shows as okay (even viewed from the 2008r2 server)
The driver installs fine on windows 10.
However trying to install the printer on 2008r2 brings up the dreaded red "Untrusted Publisher" warning.
So we tried with a SHA1 timestamp, everything else the same just removeing the /td sha256 option:
/tr http://timestamp.comodoca.com/rfc3161
This as expected signed okay, timestamp showed sha1 rather than sha256 and now it works great on 2008r2 (as well as win 10 still). So okay we have something that works, but SHA1 timestamps are not recommended going forward, so just out of stubbornness (since i've been trying anyway for days) I tried the symantec timestamp server:
http://sha256timestamp.ws.symantec.com/sha256/timestamp /td sha256
The cat signed, it's a sha256 timestamp AND IT WORKS?! It works on 2008r2 and Win10 all fine. So great! but Why? I can't find any details on comodo/sectigo or microsoft or anywhere that says only some timestamp servers can be used for sha256 2008r2 driver signing. That appears to be the case though? Have I missed something? If not then I hope the above info can save someone the days of pain I just went through.
Oh and I do have a ticket with comodo/sectigo detailing the above but I'm not holding my breath on getting anything sensible back!
