WinBatch® Technical Support Forum

All Things WinBatch => WinBatch => Topic started by: DirkM on June 13, 2013, 11:51:41 AM

Title: Code Signing issue
Post by: DirkM on June 13, 2013, 11:51:41 AM
Hi everybody,

Over the last few days I had more and more issue to sign my compiled executable. Sometimes I had to try 5 or more times before the compiler eventually succeeded but today I can't get any exe signed.

The error that I'm always getting when I try to compile an exe is the following:

FAILED
800700001 Cannot connect to timestamp server
C:\WB\test.exe
CertName
Test Exe to be signed
http://support.company.com
http://timestamp.verisign.com/scripts/timestamp.dll

I can sign the same exe with signcode.exe and except for installing the June 2013 security updates nothing has changed on my Windows 7 computer.

Is there a way to tell WinBatch Compiler (I'm using 2012C) to use a different timestamp url?

Thanks,
Dirk
Title: Re: Code Signing issue
Post by: Deana on June 13, 2013, 12:05:26 PM
Background: Timestamping ensures that code will not expire when the certificate expires. VeriSign offers a timestamping service http://timestamp.verisign.com/scripts/timstamp.dll . We recommend that you specify VeriSignââ,¬â,,¢s timestamp server url when you sign the WinBatch exe file.

The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.

The WinBatch Compiler and InstallCodeSignCertificate.wbt both use this timestamp server when signing code for you. However if you choose to use IntControl 93 or SignCode.exe to sign your EXEs then you should specify this time server.

Occasionally the timestamp server at VeriSign ("http://timestamp.verisign.com/scripts/timstamp.dll") decides to go offline. However you state that you are able to code sign using signcode.exe. Are you specifying a timestamp server when code signing with signcode.exe? If so which timestamp server?
Title: Re: Code Signing issue
Post by: Deana on June 13, 2013, 12:11:58 PM
Alternative possible timestamp servers:

Title: Re: Code Signing issue
Post by: DirkM on June 13, 2013, 12:45:23 PM
Well, it started working a few minutes after I posted this. I have compiled 4 exe since then without issue.

When I use signcode.exe I do not specify a server, not sure what url it is using by default but it always works when WB Compiler fails.

I suppose the verisign server just was a little busy (or offline) this morning and that that was the reason why WB Compiler failed. Would be nice if there would be an option in a future version of Winbatch to specify the singing server (maybe where the certificate settings are entered) to try other severs when the default server fails. IntControl93 and signcode.exe work too but convinience (letting WB Compiler to the hard work) rules :-)

Thanks,
Dirk
Title: Re: Code Signing issue
Post by: Deana on June 13, 2013, 12:59:44 PM
This timestamp service problem can also occur if the system you are running on doesn't have internet access.

Actually I think you can specify the name of the code sign timestamp service already in the compiler...
Title: Re: Code Signing issue
Post by: td on June 13, 2013, 01:20:02 PM
Quote from: DirkM on June 13, 2013, 12:45:23 PM
Well, it started working a few minutes after I posted this. I have compiled 4 exe since then without issue.

When I use signcode.exe I do not specify a server, not sure what url it is using by default but it always works when WB Compiler fails.


If you don't specify a time stamp server as a parameter to signcode.exe it does not use any time stamp server and your signed exe's signature is not time stamped.  That means the exe will not authenticate once your certificate expiry passes but it will authenticate just fine until then.

The WinBatch compiler does not have an option for specifying and alternate time stamp server (the Website URL is for your website url) but you can always use Intcontrol 92 instead.