Authenticode-JS icon indicating copy to clipboard operation
Authenticode-JS copied to clipboard
verified publisher icon Ylianst

Added the ability to fetch timestamp for codesigning through https

Open HuFlungDu opened this issue 1 year ago • 2 comments

Some enterprise environments mandate that all communication happens through SSL. This merely enables the user to set their time server to an HTTPS site, e.g. node authenticode.js sign --time "https://timestamp.sectigo.com/authenticode.

HuFlungDu avatar Nov 07 '24 20:11 HuFlungDu

After checking online, all timestamp servers are http and not https, https won't sign the exe https://www.sectigo.com/resource-library/time-stamping-server https://www.entrust.com/knowledgebase/ssl/time-stamp-url https://knowledge.digicert.com/solution/troubleshooting-timestamping-problems https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

si458 avatar Nov 07 '24 20:11 si458

It says it's http, but I have tested it:

node node_modules/meshcentral/authenticode.js sign --exe node_modules/meshcentral/agents/MeshService.exe --out ./mesh-https.exe --time "https://timestamp.sectigo.com/authenticode"

Unable to load certificate and/or private key, generating test certificate.
Signing to ./mesh-https.exe
Done.

And:

node node_modules/meshcentral/authenticode.js info --exe ./mesh-https.exe
Version Information:
  FileVersion: 0.0.0.0
  ProductVersion: 0.0.0.0
String Information:
  FileDescription: "MeshCentral Background Service Agent"
  FileVersion: "2022-Dec-2 11:42:16-0800"
  LegalCopyright: "Apache 2.0 License"
  ProductName: "MeshCentral Agent"
  ProductVersion: "Commit: 2022-Dec-2 11:42:16-0800"
Checksum Information:
  Header CheckSum: 0x3a679d
  Actual CheckSum: 0x3a679d
Signature Information:
  Hash Method: sha384
  Signed Hash: 5ba75293525ecdae180df93e440b3ef14c4a5b22948bff0443316fd69367adcb96ab72888170a53737da4a5deea50227
  Actual Hash: 5ba75293525ecdae180df93e440b3ef14c4a5b22948bff0443316fd69367adcb96ab72888170a53737da4a5deea50227

running info on an unsigned exe gives the following:

Version Information:
  FileVersion: 0.0.0.0
  ProductVersion: 0.0.0.0
String Information:
  FileDescription: "MeshCentral Background Service Agent"
  FileVersion: "2022-Dec-2 11:42:16-0800"
  LegalCopyright: "Apache 2.0 License"
  ProductName: "MeshCentral Agent"
  ProductVersion: "Commit: 2022-Dec-2 11:42:16-0800"
Checksum Information:
  Header CheckSum: 0x0
  Actual CheckSum: 0x3a703c
Signature Information:
  This file is not signed.

I see no no difference in signing with http in the URL vs https, but it definitely uses port 443 at the very least, because the environment I am testing from does not allow any outbound on 80 (testing with http, it fails).

My guess is that, cryptographically speaking, there's no reason for this communication to be done over https, but they expose it on https anyway, just for situations like this (similar to apt repos and whatnot).

HuFlungDu avatar Nov 07 '24 21:11 HuFlungDu