13

I'm using signtool to code sign some Windows setup files and application executables. The command that I'm using is:

signtool sign /f "\path\to\certfile.pfx" /p "certPassword" /tr http://tsa.starfieldtech.com /td SHA256 "path\to\setup.exe"

The /tr option causes the signature to be time stamped with the specified time stamp server. The /td specifies the digest algorithm (hash function).

This command is typically executed by an automated code signing job on one of our remote servers. The job signs 22 different executables, half of which are setup files with the other half being application executables. Often, at some point in the signing job, the command fails on one of the files. It's not always one or other type of exe, it happens on both types. The error is: 

Done Adding Additional Store  
Error information: "SignerTimeStampEx2() failed." (-2146881278/0x80093102)  
SignTool Error: An unexpected internal error has occurred.  
Sign command failed with exit code 1.

The MSDN documentation states that the 0x80093102 code means: 

CRYPT_E_ASN1_EOD - ASN1 unexpected end of data.

I've checked the server's Windows Event Log and haven't found any related messages.

I rerun the job and it sometimes fails on a different exe and sometimes it successfully signs all files. Note that the job does not rebuild the exe's, it uses the same source exe's each time. I've run this same job locally many times with the same executable files and never had an issue. It seems to be only when I run from the remote server. Based upon that fact, the error information logged, and the text of the result code explanation, it sounds like it is either having trouble connecting to the time stamp server or there's an error while communicating with the server.

What, exactly, does this error mean and how do I resolve the issue?

Update: I've modified my signing script to retry the signing of an individual exe up to five times when it fails on that exe. While testing that change on my local machine, I actually encountered an instance of the same error, indicating that it's not just an issue on the remote server. Assuming that this is simply a failure to contact the time stamp server, this might be my best option. However, I'd still like to know what the exact cause of the error is.

Ron Ratzlaff
  • 298
  • 3
  • 13
  • I've seen this, and I feel like the timestamp server is blocking me because of too many requests. Is this possible on your end? – tofutim Jun 04 '15 at 20:11
  • 3
    I don't think so because I'm only making 22 requests in the span of about 2 minutes. Also, after putting in the workaround to retry the request and logging to detect it, I've only ever encountered the error once and the job has been running for one year as of this month. Thanks for the suggestion, though. – Ron Ratzlaff Jun 08 '15 at 19:08
  • This might be the issue: https://stackoverflow.com/questions/28717034/what-is-wrong-with-godaddys-timestamp-server-and-itextsharp – Daniel Fisher lennybacon Mar 29 '19 at 09:18
  • I had the same issue today, randomly getting this error on different projects, we added the time stramp url to high priority list on our firewall, we didn't seams to have any issues after that. – RickWeb Aug 21 '19 at 16:43
  • Same error with SignTool.exe from the Win 7 SDK. I got past it by specifying `/fd SHA256 /td SHA256`. The SECTIGO time-stamping server that I'm using mentions automatically selecting an algorithm. I wonder if that is a common technology and whether that auto-selection--which would require additional processing--might intermittently time out. When the OP asked the question, `/fd` may not have even been available, and he already specified `/td`, so not sure this would have applied, but maybe others will benefit from specifying these parameters. Also works with SignTool.exe from the Win 10 SDK. – Mark Berry Apr 16 '21 at 19:36

0 Answers0