How do I add a timestamp when digitally signing a file in C#?

Question

I tried to implement in .NET C# an utility similar to signtool.exe. To digitally sign a file, I used the classes SignedCms and CmsSigner.

CmsSigner signer;
...
SignedCms content = 
    new SignedCms(new ContentInfo(File.ReadAllBytes(aFileToSign)));
content.ComputeSignature(signer, true);

However, I am not sure how to add a timestamp received from a time server. signtool.exe has the option

signtool sign /t "time server url" ...

One possibility seems to consist in using Pkcs9SigningTime class, but I don't know how to use it correctly in conjuction with a timestamp server. All of the examples use Pkcs9SigningTime and the current time of the system. With a time server, it may be more complicated because the time server has its own certificate, and the answer will contain the time and a hash used as a countersignature.

Can anyone provide some clues about that?

Answer 1

The Authenticode(tm) timestamp protocol predates the Time-Stamp Protocol defined in RFC3161. However (and IIRC) there is no direct support for asking a timestamp built in .NET.

So you can either:

1. build a TSP client to get your timestamps; or

2. piggyback the existing free timestamp servers that are around for code signing.

While I would suggest #1 in most cases (it's a standard and more future proof) I'm not sure if there are C# libraries available that supports that today.

If you're interested in #2 then I know (because I've written it ;-) that the code is available inside Mono (MIT.X11 licensed) to support Authenticode(tm) and code signing (including timestamping).