signtool time server rate limited?

fridgerator commented 6 years ago

Version: 20.19.2

Target: Windows

In 20.19.1, one of the bug fixes is "sign all exe and dll files, not only root (37bb121)".

If the application contains a lot of dll and exe files, then I think signing of the files is getting rate limited or something because the first ~17 or so files sign correctly but after that I get an exception: SignTool Error: The specified timestamp server either could not be reached or returned an invalid response

Reverting back to an older version of electron-builder (19.55.3) where only a few files are signed and my application builds successfully again.

Output log:

C:\directory_ommited>electron-builder  --publish never 
  • electron-builder version=20.19.2
  • loaded configuration file=package.json ("build" field)
  • rebuilding native production dependencies platform=win32 arch=x64
  • packaging       platform=win32 arch=x64 electron=1.7.9 appOutDir=dist\win-unpacked
  • signing         file=dist\win-unpacked\resources\alex\MSVCP140.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf5_cpp.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf5_hl_cpp.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf5_hl.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf5_tools.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\jpeg.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\libcurl.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\r\unins000.exe certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\hdf5.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\zlib.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\ucrtbase.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\tk86t.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\tcl86t.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\sqlite3.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\pywintypes36.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
  • signing         file=dist\win-unpacked\resources\alex\pythoncom36.dll certificateFile=C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12
Error: Exit code: 1. Command failed: C:\Users\jenkins\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-2.1.0\windows-10\x64\signtool.exe sign /t http://timestamp.globalsign.com/scripts/timstamp.dll /f C:\Users\jenkins\AppData\Local\Temp\temp-dir-Jab5Po\0.p12 /d app_name_ommited /du url_ommited /p hash_ommited (sha256 hash) /debug C:\directory_ommited\hdf5_hl.dll
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: C:\directory_ommited\hdf5_hl.dll

fridgerator commented 6 years ago

I have also tried with the symantec server http://sha256timestamp.ws.symantec.com/sha256/timestamp with the same result

develar commented 6 years ago

@pronebird I will disable dll code signing until check "is already signed" not implemented. For now option win.signDlls will be added for you if you want to enable this feature.

pronebird commented 6 years ago

@develar great, thanks for pinging me.

If there is a certain rate limit on the server, we could parse the response from the server and add a sleep interval once the rate limit is reached, then retry after.

Not sure how much it would complicate the code but it seems reasonable to retry on failure because any network issues may naturally occur while code signing, and given that we have projects that take like 10 minutes to sign everything, I think it makes sense to improve the networking reliability.

Alternatively use a non-rate limited server or a server with a higher rate limit from your CA.

aluxian commented 5 years ago

I was encountering the same error with the default (comodo) timestamping server.

I switched to http://tsa.startssl.com/rfc3161 and this one seems to work fine for now.

I found it here: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710

michihuber commented 5 years ago

@aluxian, how did you switch the timestamp server? (I checked the config options but didn't find anything related, sorry if I missed it)

aluxian commented 5 years ago

rfc3161TimeStampServer, here's my config:

"win": {
      "icon": "build/icon.ico",
      "target": [
        {
          "target": "nsis-web",
          "arch": [
            "x64",
            "ia32"
          ]
        }
      ],
      "rfc3161TimeStampServer": "http://tsa.startssl.com/rfc3161",
      "publisherName": "xxx",
      "verifyUpdateCodeSignature": false,
      "signDlls": true
    },

develar commented 5 years ago

In 21 should be better.

electron-userland / electron-builder

signtool time server rate limited? #3101