Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you deploy your own Authenticode Timestamping Service?

I would like to timestamp my DLL file with my own Authenticode Timestamping Service. Is this possible? How could I achieve this?

like image 796
Alexandru Avatar asked Jun 27 '12 19:06

Alexandru


People also ask

Are timestamp servers free?

freeTSA.org provides a free Time Stamp Authority. Adding a trusted timestamp to code or to an electronic signature provides a digital seal of data integrity and a trusted date and time of when the transaction took place.

How does a timestamp server work?

A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2–5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash.

What is timestamping code signing?

Simply put, time stamping is an optional part of the signing process, which allows users and software to recognize whether an applied code signing signature is valid–even after a code signing certificate expires.


2 Answers

You can develop your own timestamping service. You can write TSP (RFC 3161) server but Authenticode doesn't use RFC 3161 but PKCS#7/PKCS#9 formats as described in MSDN article (which you can implement as well). Our SecureBlackbox components include timestamping server component which supports both formats. Update: recent updates to Authenticode use standard RFC 3161 timestamps.

But the problem is to get the certificate which you will use to sign timestamps. This certificate must be issued by one of the CAs and as I understand, there exist severe requirements regarding management and infrastructure aspects of running a timestamp server. In particular you need to have a secure timestamping hardware. I didn't dig deep into this question, but these aspects are much more complicated then writing a piece of code.

Still if you run your own PKI infrastructure (have your own trusted root certificates and CA certificates), then the problem of having a trusted timestamping certificate is solved automatically - you can generate your own certificate.

like image 141
Eugene Mayevski 'Callback Avatar answered Oct 13 '22 18:10

Eugene Mayevski 'Callback


You need to write a custom HTTP Timestamp server. It should follow RFC 3161 Time-Stamp Protocol (TSP) rules.

When you sign your DLL for authenticode with a tool such as Signtool.exe from the Windows SDK, you can specify the url of the timestamp server (with the /t swich. See also /tr and /td). You would then point to your server.

See here on SO for a related question: Trusted Timestamps - understanding the format (rfc3161)

and also: Alternative timestamping services for Authenticode

like image 37
Simon Mourier Avatar answered Oct 13 '22 16:10

Simon Mourier