Sign and timestamp manifest files on seperate machines using mage.exe

Question

My use case is this: I want to be able to sign the EXEs and manifests on an "air gapped" computer, and then on an internet-connected computer add the timestamps:

This has been doable with signtool.exe. The problem I have is with mage.exe. It does not appear to be able to separately sign and then timestamp the signature, which seems odd.

I have tried the following:

mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH%
mage.exe -Update "myapp.exe.manifest" -TimestampUri http://timestamp.comodoca.com

After the sign step, I can examine the manifest and clearly see that it has been signed. The update step, however, removes the signature completely.

If I do

mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH% -TimestampUri http://timestamp.comodoca.com

It works fine and the manifest is signed and timestamped

The only difference between the signed and signed-and-timestamped manifests is, unsurprisingly, the timestamp info.

So, the question is, is it possible to use mage.exe to sign a manifest and then later on add a timestamp in the way that signtool.exe allows?

Many thanks in advance, James

EDIT: One thing I am yet to try, but will do, is.... If signtool.exe can do this separately, presumably it does not need the original private key that was used to sign the binary, so this implies that the timestamping does not need the private key, which makes sense I suppose as timestamping is "freezing" the digital signature, only the public certificate, so could I generate it myself and manually add it to the manifest?

Answer 1

Timestamp is part of your file, when you add the timestamp:

->the content of the file changed,

->the signature of the file is changed

->you have to resign your app.

1. what "sign" do

    digest_fun(file_to_sign) -> publisher_digest_of_file
    sign_fun(publisher_digest_of_file, private_key) -> publisher_signature

2. how to verify "sign"

    digest_fun(file_to_sign) -> digest_of_file
    sign_fun(publisher_signature, public_key) -> publisher_digest_of_file
    assert_fun(digest_of_file == publisher_digest_of_file)
    //if anyone change the content of the file, it fails

3. what "timestamp + sign" do

    digest_fun(file_to_sign + timestamp) -> publisher_digest_of_file_and_timestamp
    sign_fun(publisher_digest_of_file_and_timestamp, private_key) -> publisher_signature

4. how to verify "timestamp + sign"

    digest_fun(file_to_sign + timestamp) -> digest_of_file_and_timestamp
    sign_fun(publisher_signature, public_key) -> publisher_digest_of_file_and_timestamp
    assert(digest_of_file_and_timestamp == publisher_digest_of_file_and_timestamp)
    //if anyone change the content of the file, it fails
    //if anyone change the timestamp, it fails