Closed ChristophLindemann closed 4 years ago
Agree with this request, we use timestamped signatures on our applications and installers, and there are some security personnel out there who will raise a red flag at the sight of the letters "sha1", no matter how insignificant. Given that signtool.exe already supports this and MSBuild is doing P/Invoke of Win32 API, it should be possible to achieve. Not sure if it should be linked to the existing SHA1-vs-SHA256 flag for the signature itself?
As long as we're at it, Authenticode sealing (see e.g. https://vcsjones.com/2016/12/30/authenticode-sealing/) would also be a useful addition.
I just found out that this has been fixed in #4397 which has been released in MSBuild 16.2
Just enter an RFC3161 compliant timestamp url and the task will work (tries both protocols)
My understanding is, that Microsoft requires (maybe not enforcing yet) that both the digest and timestamp digest are SHA256 to be a valid Authenticode SHA-2 signature on Windows 10 as of May 2017.
The current
SignFile
task is not able to produce such signature, but produces a signature with SHA256 file digest, but SHA1 timestamp digest.Expected In my opinion
SignFile
should use RFC 3161 SHA256 timestamp (/td SHA256 /tr <RFC3161-timestamp-url>
) when signing, or at least support it.Actual Currently the when using
SignFile
to sign with SHA256 digest (TargetFrameworkVersion >= v4.5), it only supports using SHA1 digest for the timestamp. (it uses/t <timestamp-url>
).https://github.com/Microsoft/msbuild/blob/a9f64ebd108702c3fc65339c66cb124217854524/src/Tasks/ManifestUtil/SecurityUtil.cs#L755-L756
Dual signing It would also be really nice to be able to dual sign, which would require the
/as
signtool parameter