0

When using signtool.exe to perform authenticode signing of executables, we want to use timestamping to ensure that the executable will still be valid in the future. It seems that the timestamping server protocol only supports http:// and not https:// out of the box. This seems like a security vulnerability on Microsoft's part.

Does anyone know how to perform signtool.exe timestamping via SSL? In other words, to use a time server https://timestamp.digicert.com instead of http://timestamp.digicert.com

A X
  • 905
  • 2
  • 13
  • 31
  • Should not matter assuming the timestamp is signed by the server. – Anders Sep 05 '22 at 10:41
  • @Anders but isn't there the potential for packet sniffing and man in the middle attacks? – A X Sep 06 '22 at 02:07
  • I don't know exactly how the timestamping works but I would imagine the server signs the timestamp so if anyone in the middle modifies the response the timestamp becomes invalid. – Anders Sep 06 '22 at 09:59

1 Answers1

0

There are timestamping services available through HTTPS, see for example this Gist listing public servers:

https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710

Some of them are served through HTTPS:

https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
https://freetsa.org
https://ca.signfiles.com/tsa/get.aspx
https://tsp.iaik.tugraz.at/tsp/TspRequest

The others may also work, just try replacing http:// with https://

https://timestamp.sectigo.com
Emmanuel Bourg
  • 9,601
  • 3
  • 48
  • 76