-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
windows: add multiple timestamps #178
Conversation
@gdams - did it work? |
proposed fix and some improvement here gdams#1 |
fix tsa + debug option
another timeout seen yesterday |
okay this is updated and ready to go, In principle, this could go in before the CPU releases to avoid the need for a rebuild if the signing job fails due to timeout CC @karianna |
We have a little pb here .. it seems a lot of url are different for sha1/sha256 sign So we must add a param to url or manage two different list of url ..
It must be replaced with SHA1/SHA256 http://timestamp.digicert.com?alg=sha256 Also comodoca don't use /authenticode anymore https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710#gistcomment-3342213
Also for sha256 : http://timestamp.comodoca.com?td=sha256 So maybe we must probably append sha1/sha256 to url used with signtools when we required one or the other algo We probably can use more timestamp server list as this maintained list : https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710 Sorry to not help so much as I'm not on Windows and can't test which timestamp url/service works .. |
CC - @gdams JIC |
and dual signing msi are visibly particulary painfull https://support.ksoftware.net/support/solutions/articles/217399-how-do-i-dual-sign-a-file-
If all our msi are already signed only with sha256 can't we stick with that ? |
@douph1 after talking to some MSFT folks, SHA1 signing has been deprecated for some time. They recommend that we just use SHA256 so I'll update the PR. |
@douph1 can you review again? |
I will asap |
* timestamp server : lower retry delay * timestamp server : update list * Update Build.OpenJDK_generic.cmd Co-authored-by: George Adams <george.adams@microsoft.com>
@douph1 merged! thanks |
fixes: adoptium/temurin-build#1963
test job: https://ci.adoptopenjdk.net/job/build-scripts/job/release/job/standalone_create_installer_windows/117/console