Closed st-gr closed 2 months ago
You seem to confuse the signingTime attribute (https://datatracker.ietf.org/doc/html/rfc5652#section-11.3) with a timestamp, which is implemented as a a countersignature. You can clearly see that that there are no countersignatures, on that signature. See an actually timestamped file for comparison.
The purpose of osslsigncode is to produce valid authenticode signatures, and not to mimic all the quirks of signtool.
I realized that it was the "Timestamp" value in the partially visible "test-osslsigncode-signed.appx Properties" window screenshot. This is a bug in Windows, as the printed value is not derived from an actual timestamp, evident in the "Digital Signature Details" window, where the "Countersignatures" table does not contain any timestamp. Feel free to report this bug to Microsoft.
Description: I've observed a discrepancy between the behavior of Windows
signtool
andosslsigncode
when signing an Appx file without specifying a timestamp server URL. When usingsigntool
, the resulting signature does not display a timestamp in the properties dialog of the digital signature, showing "Signing time: Not available." In contrast,osslsigncode
includes a timestamp in the same scenario.Steps to Reproduce:
signtool
without passing a timestamp server URL.signtool.exe sign /fd sha256 /f C:\CordovaApp_TemporaryKey.pfx C:\test-signtool-signed.appx
(without parameter /tr timestampURL)osslsigncode
under the same conditions.osslsigncode.exe sign -in "C:\test-unsigned.appx" -out C:\test-osslsigncode-signed.appx -pkcs12 C:\CordovaApp_TemporaryKey.pfx -h sha256
(without parameter -ts timestampURL)Expected Behavior: The
signtool
does not add a timestamp when no timestamp server URL is provided, which is the expected behavior.Actual Behavior:
osslsigncode
unexpectedly adds a timestamp even without a timestamp server URL being specified.Additional Information: This inconsistency may lead to confusion or misinterpretation of the signature's validity period. Clarification on whether this is intended behavior or a bug would be appreciated.