Search code examples
timestampcode-signingsigntool

How to Code Sign with multiple timestamps - my stamps get overwritten

Problem

Though I am getting no error on verbose SignTool (manual) commands on my windows executable, the timestamps get overwritten, and I wish there to be multiple timestamps, is that possible?

  • If it is possible, then how?
  • If it is not possible, and I have to use only 1 single timestamp, then which server would you recommend in the long run? (DigiCert is coming to my mind now.)

Here's what I tried

PowerShell function

function sign32exe([string]$arg)
{
    & 'C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe' sign /fd sha256 /a $arg
    Start-Sleep -Seconds 5
    & 'C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe' timestamp /tr http://timestamp.globalsign.com/?signature=sha2 /td sha256 /v $arg
    Start-Sleep -Seconds 5
    & 'C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe' timestamp /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td sha256 /v $arg
    Start-Sleep -Seconds 5
    & 'C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe' timestamp /tr http://time.certum.pl /td sha256 /v $arg
}

PowerShell output

I get positive output from SignTool, but the timestamps get overwritten by each invocation (restructured for better readability):

The signing process goes well:

Done Adding Additional Store
Successfully signed: .\my.exe

Followed by the timestamping, which individually go without a problem:

Successfully timestamped: .\my.exe
Number of files successfully timestamped: 1
Number of errors: 0

Successfully timestamped: .\my.exe
Number of files successfully timestamped: 1
Number of errors: 0

Successfully timestamped: .\my.exe
Number of files successfully timestamped: 1
Number of errors: 0

Image for the words

only the last timestamp present

Rationale

The certificate I own is from Certum authority, called Standard Code Signing. Since it expires soon, I'd like to ensure my windows executable does not get into trouble after my signing certificate expiration. I thought more timestamps would be better in case one server becomes unavailable in time or the service stops, an example of this could be that Certum authority would disappear for instance.

Additional detail

My ideal solution should solve the above problem:

  • by timestamping with more than one server; or

  • by quoting some credible source on that it is not possible

Solution

  • This question looks like a duplicate of Code Signing with Multiple Timestamp servers.

    The short answer is: no, it's not possible to timestamp more than once.

    It's possible however to sign with different algorithms (dual-sign), but it means that there will be two separate signatures generated, each with its own timestamp.

    What would multiple timestamps mean, actually? A timestamp tells the consumer when the asset was signed. It's not possible that the single action of signing was done in two separate moments. Unless there are two different signatures applied, each with own timestamp (dual-sign).

    Also, let's imagine that it's possible to apply two timestamps to the same signature. Let's say that the file is signed on 1/1/2019, the first timestamp is applied on 2/1/2019, and the second timestamp on 3/3/2020. What would it mean for a client that verifies the signature? It wouldn't really make much sense, would it? Only the latter timestamp really matters, if the certificate is still valid - that's why SignTool overrides the previous timestamp.

    Btw, there is a lot of articles about timestamping in general, none of them mentions assigning more than one timestamp to a certificate, e.g.: