Microsoft.WinGetSourceCreator.Helpres not using time server for signing

microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).

https://learn.microsoft.com/windows/package-manager/

MIT License

23.35k stars 1.45k forks source link

Microsoft.WinGetSourceCreator.Helpres not using time server for signing #4948

Open JohnnyElvis opened 2 weeks ago

JohnnyElvis commented 2 weeks ago

Brief description of your issue

Microsoft.WinGetSourceCreator.Helpres SignFile is not using a time server for signing.

Once a code signing certificate expires signed packages will no longer be usable without a time stamp.

Steps to reproduce

Look into src\WinGetSourceCreator\Helpres.cs

Line 39

Expected behavior

Time stamp is added to signature

Actual behavior

No time stamp is added to signature

Environment

Windows 11 Enterprise

denelon commented 1 week ago

The PreIndexed package source is updated every time the publishing pipeline runs over at winget-pkgs. In general, the index gets refreshed mutiple times per day. I'm not sure we actually need or want to have this package to be usable if it's expired. The winget source reset --force command will reset the sources and the winget source update command would also help a user get the latest version of this package.