It seems that there are two timestamp countersignature types that can be used for Windows code signing (Authenticode):
- Proprietary: results in
V1
in the Version field (PKCS#7 version?) of the countersignature properties - RFC 3161 based: results in
V2
I have not found any documentation that states this explicitly, but through testing it seems that Windows XP (SP3, with all updates installed) only supports timestamps with version V1
. Timestamps with version V2
result in the "not available" status. Of course, the version numbers might just correlate with the results -- there is possibly another aspect to the timestamp that causes it to be ignored.
The ReportViewer MSI file that is currently available has a V2
timestamp. However, the timestamp was also made in July 2014, after this question was posted.
More background:
The Windows SDK signtool
command supports two options (to the sign
and timestamp
sub-commands) to generate the two different timestamp types:
/t <timestamp server URL>
: results inV1
/tr <RFC 3161 timestamp server URL>
: results inV2
The signtool
documentation for /tr
states:
Windows Vista and earlier: This flag is not supported.
However, it seems unclear (due to the way that similar statements are used on other options) whether this applies to the target system or the system that signtool
is running on.
Examples
V1
timestamp:
signtool.exe sign /f cert.pfx /p %passphrase% /t http://timestamp.comodoca.com/authenticode /d "Test" test.exe
V2
timestamp:
signtool.exe sign /f cert.pfx /p %passphrase% /tr http://timestamp.comodoca.com/rfc3161 /d "Test" test-rfc3161.exe