My use case is this: I want to be able to sign the EXEs and manifests on an "air gapped" computer, and then on an internet-connected computer add the timestamps:
This has been doable with signtool.exe. The problem I have is with mage.exe. It does not appear to be able to separately sign and then timestamp the signature, which seems odd.
I have tried the following:
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH%
mage.exe -Update "myapp.exe.manifest" -TimestampUri http://timestamp.comodoca.com
After the sign step, I can examine the manifest and clearly see that it has been signed. The update step, however, removes the signature completely.
If I do
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH% -TimestampUri http://timestamp.comodoca.com
It works fine and the manifest is signed and timestamped
The only difference between the signed and signed-and-timestamped manifests is, unsurprisingly, the timestamp info.
So, the question is, is it possible to use mage.exe to sign a manifest and then later on add a timestamp in the way that signtool.exe allows?
Many thanks in advance, James
EDIT: One thing I am yet to try, but will do, is.... If signtool.exe can do this separately, presumably it does not need the original private key that was used to sign the binary, so this implies that the timestamping does not need the private key, which makes sense I suppose as timestamping is "freezing" the digital signature, only the public certificate, so could I generate it myself and manually add it to the manifest?
Timestamp is part of your file, when you add the timestamp:
->the content of the file changed,
->the signature of the file is changed
->you have to resign your app.
digest_fun(file_to_sign) -> publisher_digest_of_file
sign_fun(publisher_digest_of_file, private_key) -> publisher_signature
digest_fun(file_to_sign) -> digest_of_file
sign_fun(publisher_signature, public_key) -> publisher_digest_of_file
assert_fun(digest_of_file == publisher_digest_of_file)
//if anyone change the content of the file, it fails
digest_fun(file_to_sign + timestamp) -> publisher_digest_of_file_and_timestamp
sign_fun(publisher_digest_of_file_and_timestamp, private_key) -> publisher_signature
digest_fun(file_to_sign + timestamp) -> digest_of_file_and_timestamp
sign_fun(publisher_signature, public_key) -> publisher_digest_of_file_and_timestamp
assert(digest_of_file_and_timestamp == publisher_digest_of_file_and_timestamp)
//if anyone change the content of the file, it fails
//if anyone change the timestamp, it fails
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.