mtrojnar
commented
2 months ago You seem to confuse the signingTime attribute (https://datatracker.ietf.org/doc/html/rfc5652#section-11.3) with a timestamp, which is implemented as a a countersignature. You can clearly see that that there are no countersignatures, on that signature. See an actually timestamped file for comparison.
The purpose of osslsigncode is to produce valid authenticode signatures, and not to mimic all the quirks of signtool.
Description: I've observed a discrepancy between the behavior of Windows
signtoolandosslsigncodewhen signing an Appx file without specifying a timestamp server URL. When usingsigntool, the resulting signature does not display a timestamp in the properties dialog of the digital signature, showing "Signing time: Not available." In contrast,osslsigncodeincludes a timestamp in the same scenario.Steps to Reproduce:
signtoolwithout passing a timestamp server URL.signtool.exe sign /fd sha256 /f C:\CordovaApp_TemporaryKey.pfx C:\test-signtool-signed.appx(without parameter /tr timestampURL)osslsigncodeunder the same conditions.osslsigncode.exe sign -in "C:\test-unsigned.appx" -out C:\test-osslsigncode-signed.appx -pkcs12 C:\CordovaApp_TemporaryKey.pfx -h sha256(without parameter -ts timestampURL)Expected Behavior: The
signtooldoes not add a timestamp when no timestamp server URL is provided, which is the expected behavior.Actual Behavior:
osslsigncodeunexpectedly adds a timestamp even without a timestamp server URL being specified.Additional Information: This inconsistency may lead to confusion or misinterpretation of the signature's validity period. Clarification on whether this is intended behavior or a bug would be appreciated.