Author Topic: Code Signing issue  (Read 6130 times)

DirkM

  • Newbie
  • *
  • Posts: 19
Code Signing issue
« on: June 13, 2013, 11:51:41 am »
Hi everybody,

Over the last few days I had more and more issue to sign my compiled executable. Sometimes I had to try 5 or more times before the compiler eventually succeeded but today I can't get any exe signed.

The error that I'm always getting when I try to compile an exe is the following:

FAILED
800700001 Cannot connect to timestamp server
C:\WB\test.exe
CertName
Test Exe to be signed
http://support.company.com
http://timestamp.verisign.com/scripts/timestamp.dll

I can sign the same exe with signcode.exe and except for installing the June 2013 security updates nothing has changed on my Windows 7 computer.

Is there a way to tell WinBatch Compiler (I'm using 2012C) to use a different timestamp url?

Thanks,
Dirk

Deana

  • Wilson WindowWare Tech Support
  • Pundit
  • *****
  • Posts: 1183
  • WinBatch® can do it.
    • WinBatch Tech Support Database
Re: Code Signing issue
« Reply #1 on: June 13, 2013, 12:05:26 pm »
Background: Timestamping ensures that code will not expire when the certificate expires. VeriSign offers a timestamping service http://timestamp.verisign.com/scripts/timstamp.dll . We recommend that you specify VeriSign’s timestamp server url when you sign the WinBatch exe file.

The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.

The WinBatch Compiler and InstallCodeSignCertificate.wbt both use this timestamp server when signing code for you. However if you choose to use IntControl 93 or SignCode.exe to sign your EXEs then you should specify this time server.

Occasionally the timestamp server at VeriSign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline. However you state that you are able to code sign using signcode.exe. Are you specifying a timestamp server when code signing with signcode.exe? If so which timestamp server?
Deana F.
Technical Support
Wilson WindowWare Inc.

Deana

  • Wilson WindowWare Tech Support
  • Pundit
  • *****
  • Posts: 1183
  • WinBatch® can do it.
    • WinBatch Tech Support Database
Deana F.
Technical Support
Wilson WindowWare Inc.

DirkM

  • Newbie
  • *
  • Posts: 19
Re: Code Signing issue
« Reply #3 on: June 13, 2013, 12:45:23 pm »
Well, it started working a few minutes after I posted this. I have compiled 4 exe since then without issue.

When I use signcode.exe I do not specify a server, not sure what url it is using by default but it always works when WB Compiler fails.

I suppose the verisign server just was a little busy (or offline) this morning and that that was the reason why WB Compiler failed. Would be nice if there would be an option in a future version of Winbatch to specify the singing server (maybe where the certificate settings are entered) to try other severs when the default server fails. IntControl93 and signcode.exe work too but convinience (letting WB Compiler to the hard work) rules :-)

Thanks,
Dirk

Deana

  • Wilson WindowWare Tech Support
  • Pundit
  • *****
  • Posts: 1183
  • WinBatch® can do it.
    • WinBatch Tech Support Database
Re: Code Signing issue
« Reply #4 on: June 13, 2013, 12:59:44 pm »
This timestamp service problem can also occur if the system you are running on doesn't have internet access.

Actually I think you can specify the name of the code sign timestamp service already in the compiler...
  • Open the compiler
  • Select the Settings button
  • Select the Signing Details button
  • Specify the url of the timestamp service in the field titled 'Website Url'.
Deana F.
Technical Support
Wilson WindowWare Inc.

td

  • Tech Support
  • *****
  • Posts: 2622
    • WinBatch
Re: Code Signing issue
« Reply #5 on: June 13, 2013, 01:20:02 pm »
Well, it started working a few minutes after I posted this. I have compiled 4 exe since then without issue.

When I use signcode.exe I do not specify a server, not sure what url it is using by default but it always works when WB Compiler fails.


If you don't specify a time stamp server as a parameter to signcode.exe it does not use any time stamp server and your signed exe's signature is not time stamped.  That means the exe will not authenticate once your certificate expiry passes but it will authenticate just fine until then.

The WinBatch compiler does not have an option for specifying and alternate time stamp server (the Website URL is for your website url) but you can always use Intcontrol 92 instead.
"Success is a lousy teacher. It seduces smart people into thinking they can't lose."
  - Bill Gates