Deprecated Timestamp Server

Question

Deprecated Timestamp Server

Closed this issue 4 years ago · 5 comments

When building a retail image of IoT Core, the buildimage command fails when attempting to contact the now deprecated "http://timestamp.verisign.com/scripts/timstamp.dll" Verisign URL (per "FIPPackage_oem.log", "FIPPackage_ocp.log", and "FIPPackage_QCDB410C.log"). I have edited the TIMESERVER variable in "sign.cmd" to point to "http://timestamp.digicert.com" which has allowed the buildpkg steps to complete successfully, but the final buildimage step fails as it is still pointing to the Verisign server. How can I point any code signing steps to the new Digicert server? This is a critical issue as we need a new retail image for production ASAP. Any help you could provide would be most appreciated.

Answer 1 · 2021-01-13T19:17:04.000Z

@MattBranch taking a look at this now and will revert back.

Answer 2 · 2021-01-13T19:27:33.000Z

As a quick fix, please also change the same at this file location
C:\Program Files (x86)\Windows Kits\10\Tools\bin\i386\sign.cmd
line 617
if "%SIGN_WITH_TIMESTAMP%"=="1" set TIMESERVER=/t http://timestamp.verisign.com/scripts/timestamp.dll

Answer 3 · 2021-01-13T20:23:28.000Z

@MattBranch the timeserver editing in the above mentioned place should fix the issue.

Answer 4 · 2021-01-13T21:43:24.000Z

@parameshbabu , thank you for helping with this so quickly. Much appreciated! Manually editing the "sign.cmd" file at the location you specified did the trick, on top of editing the "sign.cmd" that was part of my build workspace. My image has now built successfully.

I have not tried the permanent fix you put in place, but one thing I noticed was that you used "http://timestamp.digicert.com/scripts/timestamp.dll" as the new timestamp URL. My testing was with "http://timestamp.digicert.com", as Digicert's documentation shows (see "https://www.digicert.com/kb/code-signing/ev-authenticode-certificates.htm"). If the extended URL worked for you, I believe we can close this issue now. Thank you once again!

Answer 5 · 2021-01-13T21:48:32.000Z

@MattBranch Thanks for the details. The fix i put in is same as yours and the sign.cmd on the tools dir needs to be manually patched. I'm following up internally for a better solution.

Thanks for the link, i have used this deeper path and it does work properly. Closing this issue now.