Use a non rate limited timestamp server to accelerate Windows builds

[wget]

Summary

Creating Windows builds is taking way too much time because there is a 15 seconds sleep delay each time a file needs to be signed.

This is due to the fact the public timestamp server we use is being rate limited. https://github.com/mattermost/desktop/blob/master/scripts/Makefile.ps1#L316

Hopefully, it appears there are servers which are not rate limited. @metanerd has created an infra team ticket in order to get access to a non rate limited server (need authentication which may need to be a paid authentication) which will decrease the build process time.

Environment

• Operating System: Windows (all versions)
• Mattermost Desktop App version: All
• Mattermost Server version: All

Steps to reproduce

Try to build a signed version of Mattermost

Expected behavior

A faster build

Observed behavior

A slow build

Possible fixes

Switch to a non rate limited timestamp server https://github.com/mattermost/desktop/blob/master/scripts/Makefile.ps1#L316

[wget]

Link to discussion on Mattermost: https://community.mattermost.com/core/pl/mc8sdg8patbajres5s6tfwufwy

[wget]

The code certificates we use have been bought at GoDaddy.

Their TSA server (http://tsa.starfieldtech.com) is known to be rate limited.

In the code, we are using http://timestamp.digicert.com as TSA server from Digicert which is less rate limited than the one from GoDaddy.

GoDaddy is not providing instructions about how to use and get rid of their TSA rate limit. The only forum topic we have asks to contact GoDaddy.

I phoned GoDaddy and they are refusing to give additional instructions if we cannot show we have 1) a code signing certificate bought at GoDaddy 2) prove ownership of the account (PIN code in the web ui interface). :/ I even tried by impersonating me as a new client, just to see and the answer has been the same :(

[jaydeland]

We can potentially move to CloudHSM with AWS: https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-prereqs.html https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-csr.html

[wget]

Hi @jaydeland

We can potentially move to CloudHSM with AWS: https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-prereqs.html https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-csr.html

Except that with the instructions, I don't see any call to a Time Stamping Authority (TSA).

We can see that the /tr "<TSA SERVER URL>" argument to signtool.exe is missing.

I don't see any mention of Amazon being a TSA authority. :/

[jaydeland]

Sorry - forgot to link this doc: https://aws.amazon.com/blogs/security/signing-executables-with-microsoft-signtool-exe-using-aws-cloudhsm-backed-certificates/

[wget]

Firefox is using Digicert as TSA authority:

Google Chrome is using Digicert as well:

Adobe seems to be using Digicert as well:

[wget]

So to summarize, it seems there are only two TSA authorities in the world:

• Digicert
• StarfieldTech, a subsidiary of GoDaddy

Since everyone seems to be using Digicert, that's maybe for a reason ;)

[RandallFlagg]

Maybe this will help maybe it won't: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710

[wget]

Just got confirmation from @cloph via @arnaudversini, the LibreOffice project seems to use this provider for code signing certificates (noticeably cheaper). https://www.certum.eu/en/code-signing-certificates/

And as for the timestamping server being used, it is not Digicert but Certum own TSA server (http://time.certum.pl/):

[devinbinnie]

Created a JIRA ticket to look at this: https://mattermost.atlassian.net/browse/MM-40570 Definitely worth investigating at some point.

[Manouchehri]

You can give my load balancer a go.

This should slightly be faster in theory as there's more CAs used:

https://rfc3161.ai.moda/microsoft

Or, if you want to limit yourself to only Digicert, Sectigo, GlobalSign, and Entrust (which almost everyone accepts these CAs), use this URL:

https://rfc3161.ai.moda/