[Feature]: NuGet Package Signing supporting more than one timestamp server

[hotchkj]

NuGet Product(s) Involved

NuGet.exe

The Elevator Pitch

Signing a NuGet package can time out when querying a specific timestamp server. Ideally the client would fall back to a list of timestamping servers rather than being dependent on the availability of a single one.

Additional Context and Details

An example command that fails a build if not coded to be retried (and requiring some detection to figure out that it's a retryable error).

nuget.exe sign -CertificateFingerprint THUMBPRINT -ForceEnglishOutput -NonInteractive -Timestamper http://timestamp.digicert.com -Overwrite A.nupkg -Verbosity detailed
stdout: NuGet Version: 5.11.0.10
Signing package(s) with certificate:
 Subject Name: ***
 SHA1 hash: ***
 SHA256 hash: ***
 Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
 Valid from: 01/28/2022 00:00:00 to 01/28/2023 23:59:59

Timestamping package(s) with:
http://timestamp.digicert.com
System.Security.Cryptography.CryptographicException: This operation returned because the timeout period expired.

  at NuGet.Packaging.Signing.Rfc3161TimestampRequest.SubmitRequest(Uri timestampUri, TimeSpan timeout)
  at NuGet.Packaging.Signing.Rfc3161TimestampRequestNet472Wrapper.SubmitRequestAsync(Uri timestampUri, TimeSpan timeout)
  at NuGet.Packaging.Signing.Rfc3161TimestampProvider.<GetTimestampAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at NuGet.Packaging.Signing.Rfc3161TimestampProvider.<TimestampSignatureAsync>d__3.MoveNext()
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at NuGet.Packaging.Signing.SigningUtility.<SignAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
  at NuGet.Commands.SignCommandRunner.<ExecuteCommandAsync>d__1.MoveNext()

Maybe this is an update to the -Timestamper argument that can take a list, or an alternative -Timestampers argument.

[erdembayar]

@dtivel If there existing issue which I can dedup?

[dtivel]

@erdembayar, not that I'm aware of.

[erdembayar]

I'm ok with signing with multiple timestamp server idea and retrying but ignoring one failed by fallback might introduce another issue later.

[nkolev92]

Team Triage: Assigning to @dtivel. Is this something we'd want to consider?

[nkolev92]

Team Triage: It's a reasonable ask because there isn't a good way for package authors to detect this specific failure and retry it alone; you'd have to recognize that the sign operation failed (in part or whole) and retry the entire operation.

By comparison, we're not aware of other signing tools (e.g.: signtool, jarsigner, vsixsigntool) that accept multiple timestampers for any reason (e.g.: for multiple timestamps or fallback). Note that signtool has a separate "timestamp" command that enables signers to timestamp separately from signing. We could consider that as an alternative to supporting multiple timestampers, but the latter is much simpler.