Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windows: add multiple timestamps #178

Merged
merged 10 commits into from
Aug 26, 2020
Merged

windows: add multiple timestamps #178

merged 10 commits into from
Aug 26, 2020

Conversation

gdams
Copy link
Member

@gdams gdams commented Nov 6, 2019
edited

@gdams gdams changed the title add multiple timestamps WIP: add multiple timestamps Nov 6, 2019
@karianna karianna added this to the November 2019 milestone Nov 7, 2019
@karianna karianna added this to To do in installer via automation Nov 7, 2019
@karianna karianna modified the milestones: November 2019, December 2019 Dec 4, 2019
@karianna karianna modified the milestones: December 2019, January 2020 Jan 26, 2020
@M-Davies M-Davies mentioned this pull request Jan 31, 2020
Open
@karianna karianna modified the milestones: January 2020, February 2020 Feb 10, 2020
@karianna karianna moved this from To do to In progress in installer Feb 21, 2020
@karianna
Copy link
Contributor

@gdams - did it work?

@karianna karianna modified the milestones: February 2020, March 2020 Mar 15, 2020
@karianna karianna modified the milestones: March 2020, April 2020 Apr 2, 2020
@douph1 douph1 self-requested a review May 13, 2020 14:44
@karianna karianna modified the milestones: April 2020, May 2020 May 13, 2020
@douph1
Copy link
Contributor

douph1 commented May 18, 2020

proposed fix and some improvement here gdams#1

@karianna
Copy link
Contributor

proposed fix and some improvement here gdams#1

CC @gdams

@karianna karianna modified the milestones: May 2020, June 2020 Jun 4, 2020
@douph1
Copy link
Contributor

douph1 commented Jun 5, 2020

another timeout seen yesterday

@karianna karianna removed this from the June 2020 milestone Jul 5, 2020
@gdams gdams marked this pull request as ready for review July 13, 2020 12:52
@gdams gdams changed the title WIP: add multiple timestamps windows: add multiple timestamps Jul 13, 2020
@gdams
Copy link
Member Author

gdams commented Jul 13, 2020

okay this is updated and ready to go, In principle, this could go in before the CPU releases to avoid the need for a rebuild if the signing job fails due to timeout

CC @karianna

karianna
karianna requested changes Jul 14, 2020
View reviewed changes
wix/serverTimestamp.config Outdated Show resolved Hide resolved
@douph1
Copy link
Contributor

douph1 commented Jul 16, 2020

We have a little pb here .. it seems a lot of url are different for sha1/sha256 sign
and we do both : >REM Dual-Signing with SHA-1/SHA-256 requires Win 8.1 SDK or later.

So we must add a param to url or manage two different list of url ..
Also some timestamp service seems to use same url for both sha1/sha256 .. but this is not clear to me

It must be replaced with SHA1/SHA256 http://timestamp.digicert.com?alg=sha256

Also comodoca don't use /authenticode anymore

https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server

https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710#gistcomment-3342213

But sectigo (comodoca) is only the certificate of sha1's certificate chain expired on May 31st, 2020. It's not a surprise. This certificate has long been prescribed.

Also for sha256 : http://timestamp.comodoca.com?td=sha256

So maybe we must probably append sha1/sha256 to url used with signtools when we required one or the other algo

We probably can use more timestamp server list as this maintained list : https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
(if we lower the retry delay)

https://stackoverflow.com/questions/9714798/http-timestamp-verisign-com-scripts-timstamp-dll-not-available

Sorry to not help so much as I'm not on Windows and can't test which timestamp url/service works ..

@karianna
Copy link
Contributor

We have a little pb here .. it seems a lot of url are different for sha1/sha256 sign
and we do both : >REM Dual-Signing with SHA-1/SHA-256 requires Win 8.1 SDK or later.

So we must add a param to url or manage two different list of url ..
Also some timestamp service seems to use same url for both sha1/sha256 .. but this is not clear to me

It must be replaced with SHA1/SHA256 http://timestamp.digicert.com?alg=sha256

Also comodoca don't use /authenticode anymore

https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server

https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710#gistcomment-3342213

But sectigo (comodoca) is only the certificate of sha1's certificate chain expired on May 31st, 2020. It's not a surprise. This certificate has long been prescribed.

Also for sha256 : http://timestamp.comodoca.com?td=sha256

So maybe we must probably append sha1/sha256 to url used with signtools when we required one or the other algo

We probably can use more timestamp server list as this maintained list : https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
(if we lower the retry delay)

https://stackoverflow.com/questions/9714798/http-timestamp-verisign-com-scripts-timstamp-dll-not-available

Sorry to not help so much as I'm not on Windows and can't test which timestamp url/service works ..

CC - @gdams JIC

@douph1
Copy link
Contributor

douph1 commented Jul 17, 2020

I have try to signing localy a exe and see that signing with" -fd sha56" like we did override the first sha1 signature.
So double signing doesn't work at this time .. but it must be possible with two certs
dualsign

@douph1
Copy link
Contributor

douph1 commented Jul 17, 2020

and dual signing msi are visibly particulary painfull
https://social.msdn.microsoft.com/Forums/ie/en-US/d4b70ecd-a883-4289-8047-cc9cde28b492/sha1-sha256-dualsigning-for-msi?forum=windowssecurity

https://support.ksoftware.net/support/solutions/articles/217399-how-do-i-dual-sign-a-file-

MSI and other file formats typically do not support dual signing.

If all our msi are already signed only with sha256 can't we stick with that ?
It will simplify script and timestamp server list

@gdams
Copy link
Member Author

gdams commented Aug 4, 2020
edited

@douph1 after talking to some MSFT folks, SHA1 signing has been deprecated for some time. They recommend that we just use SHA256 so I'll update the PR.

@karianna karianna requested a review from douph1 August 4, 2020 13:30
@karianna
Copy link
Contributor

karianna commented Aug 6, 2020

@douph1 can you review again?

@douph1
Copy link
Contributor

douph1 commented Aug 20, 2020

I will asap

@douph1
Copy link
Contributor

douph1 commented Aug 26, 2020

I have done the last modifications here gdams#2
please review and merge @gdams then I will approve this one

@douph1 @gdams
Timestamp (#2)
6f34dd8 
* timestamp server : lower retry delay

* timestamp server : update list

* Update Build.OpenJDK_generic.cmd

Co-authored-by: George Adams <george.adams@microsoft.com>
@gdams
Copy link
Member Author

gdams commented Aug 26, 2020

@douph1 merged! thanks

@douph1 douph1 merged commit 10df23e into adoptium:master Aug 26, 2020
installer automation moved this from In progress to Done Aug 26, 2020
@gdams gdams deleted the timestamp branch August 26, 2020 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karianna karianna karianna approved these changes

@douph1 douph1 douph1 approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
No open projects
installer
  
Done
Milestone
July 2020
Development

Successfully merging this pull request may close these issues.

Installer Creation Job Cannot Sign Msi File
3 participants
@gdams @karianna @douph1