osslsigncode icon indicating copy to clipboard operation
osslsigncode copied to clipboard
verified publisher icon mtrojnar

[Behavior]: osslsigncode adds timestamp even without passing a timestamp server URL

Open st-gr opened this issue 1 year ago • 1 comments

Description: I've observed a discrepancy between the behavior of Windows signtool and osslsigncode when signing an Appx file without specifying a timestamp server URL. When using signtool, the resulting signature does not display a timestamp in the properties dialog of the digital signature, showing "Signing time: Not available." In contrast, osslsigncode includes a timestamp in the same scenario.

Steps to Reproduce:

  1. Sign an Appx file using signtool without passing a timestamp server URL. signtool.exe sign /fd sha256 /f C:\CordovaApp_TemporaryKey.pfx C:\test-signtool-signed.appx (without parameter /tr timestampURL)
  2. Check the properties dialog of the digital signature, note the absence of a timestamp.
  3. Repeat the signing process with osslsigncode under the same conditions. osslsigncode.exe sign -in "C:\test-unsigned.appx" -out C:\test-osslsigncode-signed.appx -pkcs12 C:\CordovaApp_TemporaryKey.pfx -h sha256 (without parameter -ts timestampURL)
  4. Observe that the properties dialog now displays a timestamp. image

Expected Behavior: The signtool does not add a timestamp when no timestamp server URL is provided, which is the expected behavior.

Actual Behavior: osslsigncode unexpectedly adds a timestamp even without a timestamp server URL being specified.

Additional Information: This inconsistency may lead to confusion or misinterpretation of the signature's validity period. Clarification on whether this is intended behavior or a bug would be appreciated.

st-gr avatar Apr 22 '24 17:04 st-gr

You seem to confuse the signingTime attribute (https://datatracker.ietf.org/doc/html/rfc5652#section-11.3) with a timestamp, which is implemented as a a countersignature. You can clearly see that that there are no countersignatures, on that signature. See an actually timestamped file for comparison.

The purpose of osslsigncode is to produce valid authenticode signatures, and not to mimic all the quirks of signtool.

mtrojnar avatar Apr 22 '24 18:04 mtrojnar

I realized that it was the "Timestamp" value in the partially visible "test-osslsigncode-signed.appx Properties" window screenshot. This is a bug in Windows, as the printed value is not derived from an actual timestamp, evident in the "Digital Signature Details" window, where the "Countersignatures" table does not contain any timestamp. Feel free to report this bug to Microsoft.

mtrojnar avatar Apr 24 '24 16:04 mtrojnar