SignFile should support RFC 3161 SHA256 timestamp

[ChristophLindemann]

My understanding is, that Microsoft requires (maybe not enforcing yet) that both the digest and timestamp digest are SHA256 to be a valid Authenticode SHA-2 signature on Windows 10 as of May 2017.

The current SignFile task is not able to produce such signature, but produces a signature with SHA256 file digest, but SHA1 timestamp digest.

Expected In my opinion SignFile should use RFC 3161 SHA256 timestamp (/td SHA256 /tr <RFC3161-timestamp-url>) when signing, or at least support it.

Actual Currently the when using SignFile to sign with SHA256 digest (TargetFrameworkVersion >= v4.5), it only supports using SHA1 digest for the timestamp. (it uses /t <timestamp-url>).

https://github.com/Microsoft/msbuild/blob/a9f64ebd108702c3fc65339c66cb124217854524/src/Tasks/ManifestUtil/SecurityUtil.cs#L755-L756

Dual signing It would also be really nice to be able to dual sign, which would require the /as signtool parameter

[qidydl]

Agree with this request, we use timestamped signatures on our applications and installers, and there are some security personnel out there who will raise a red flag at the sight of the letters "sha1", no matter how insignificant. Given that signtool.exe already supports this and MSBuild is doing P/Invoke of Win32 API, it should be possible to achieve. Not sure if it should be linked to the existing SHA1-vs-SHA256 flag for the signature itself?

As long as we're at it, Authenticode sealing (see e.g. https://vcsjones.com/2016/12/30/authenticode-sealing/) would also be a useful addition.

[strushb]

I just found out that this has been fixed in #4397 which has been released in MSBuild 16.2

Just enter an RFC3161 compliant timestamp url and the task will work (tries both protocols)