NuGet package dll files are not signed correctly.

[vvdulevich]

Hello I installed WebView2 1.0.1020.30 package from NuGet. The problem is that all dll files distributed in this package are not signed correctly. If I check files with DigiCert utility it says that "The signature does not contains a timestamp. Its strongly...". This message means that while signing assemblies no timestamp server was specified. And this issue is critical while distributing dlls to clients. As many clients have their firewall/antivurus configured to run only programs with specific certificates. And it's not possible to check certificate without timestamp. So installation/running program is blocked. Please add timestamp when sign your assemblies. Thanks.

AB#37806313

[champnic]

Thanks for the bug report @vvdulevich - I've added this to our backlog to take a look.

[dmcgloin]

Hmmm. Do we trust that the DigiCert utility is correct? I am seeing the dlls do have timestamps. I'm also seeing the DigiCert utility flagging my dlls that I know to be signed with a timestamp.

[vdulevich]

Hi, sometime ago I had the same problem with dlls on my project (it wasn't possible to create firewall rule to allow to load dlls signed with mine certificate). DigitCert was showing warning: "The signature does not contain a timestamp...." When fixed timestamp according to this article https://knowledge.digicert.com/solution/SO912.html the problem gone away. And DigitCert began to show two green icons, no warnings. In my case it was third point in article: 3. "The incorrect signing option is used with your timestamping service." So changed sign process to this way: signtool.exe [other params] /t http://timestamp.comodoca.com. So, for some reason even if timestamp exists in file that doesn't mean it's valid.

[chelito103]

Hi All, not so familiar with how the SDLC works for this project, release cadence etc... Would love to know what to expect next for this user story to see it moving & get a release date. Does anyone have info on that or a link to where I could find that? Definitely interested in this as it impacts one of our vendors plugins which will not run in edge mode (which means we get limited functionality from it), security won't allow us to bypass windows 10 exploitation protection which is preventing said modules from loading; so would love to see this fixed.

[champnic]

Hey @chelito103 - This issue is on our backlog, but we haven't dug deep into it yet. We do sign our binaries with an RFC3161 timestamp, but we don't know whether it's failing to write the timestamp correctly or if DigiCert is running into a different issue. Can you confirm that your issue is also caused by DigiCert checking the timestamp?

[champnic]

Here's the result of checking the signature with SignTool:

>> "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa lib\net45\Microsoft.Web.WebView2.Core.dll
File: lib\net45\Microsoft.Web.WebView2.Core.dll
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: lib\net45\Microsoft.Web.WebView2.Core.dll

>> "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa runtimes\win-x86\native\WebView2Loader.dll
File: runtimes\win-x86\native\WebView2Loader.dll
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: runtimes\win-x86\native\WebView2Loader.dll

They both have RFC3161 timestamps, but both showed as not having a timestamp when checking signature in DigiCert.

[champnic]

I was able to replicate the issue using other dlls in C:\windows\system32. And I found others running into this: https://www.hwinfo.com/forum/threads/timestamp-not-current-or-missing-form-digital-signature-on-hwinfo64.7646/

At this point I'm fairly certain that this is a bug on DigiCert. If you have other tools also showing a missing timestamp please let us know, but for now I'm closing this issue. Thanks!

[vvdulevich]

The post on other forum about DigitCertUtil is buggy doesn't really mean that it's buggy. Please post command line which you use to sign dlls.