I tried to implement in .NET C# an utility similar to signtool.exe. To digitally sign a file, I used the classes SignedCms and CmsSigner.
CmsSigner signer;
...
SignedCms content =
new SignedCms(new ContentInfo(File.ReadAllBytes(aFileToSign)));
content.ComputeSignature(signer, true);
However, I am not sure how to add a timestamp received from a time server. signtool.exe has the option
signtool sign /t "time server url" ...
One possibility seems to consist in using Pkcs9SigningTime class, but I don't know how to use it correctly in conjuction with a timestamp server. All of the examples use Pkcs9SigningTime and the current time of the system. With a time server, it may be more complicated because the time server has its own certificate, and the answer will contain the time and a hash used as a countersignature.
Can anyone provide some clues about that?
The Authenticode(tm) timestamp protocol predates the Time-Stamp Protocol defined in RFC3161. However (and IIRC) there is no direct support for asking a timestamp built in .NET.
So you can either:
build a TSP client to get your timestamps; or
piggyback the existing free timestamp servers that are around for code signing.
While I would suggest #1 in most cases (it's a standard and more future proof) I'm not sure if there are C# libraries available that supports that today.
If you're interested in #2 then I know (because I've written it ;-) that the code is available inside Mono (MIT.X11 licensed) to support Authenticode(tm) and code signing (including timestamping).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With