This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
harald_rheindo
Level 2
‎Oct 22, 2019 08:10 AM

SHA256 Timestampserver - Symantec shut down

Hi,
I use InstallShield 2016. We have a SHA256 certificate and we sign with InstallShield in SHA256. In the Settings.xml are the following entries for the timestampserver URL:
sha256timestamp.ws.symantec.com/sha256/timestamp. This also generates SHA256 for the counter signature.
Symantec will shut down these timestamp servers in late October. Then the entries in the Settings.xml are no longer valid.
As a replacement URL, we got "timestamp.digicert.com" called, this entry in the Settings.xml at the counter signature only generates SHA1.

Question: How can I use InstallShield to specify a SHA256 timestamp server, which then also generates a counter signature with SHA256?

In the Settings.xml can only be specified a URL, the parameters / fd / td, etc., which would be necessary for Signtool.exe I can not specify anywhere.

Thanks for your help or suggestions.

Harald

Labels (1)
Labels
0 Kudos
(2) Replies
banna_k
Revenera
Revenera
‎Oct 23, 2019 12:07 AM

 

Hi @harald_rheindo ,

 

Can modify your settings.xml with the time stamp server details, add the "DigitalSignature TimestampRFC3161" if it is not there. like below :

<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/>
<DigitalSignature TimestampRFC3161="http://timestamp.verisign.com/scripts/timstamp.dll"/>

And specify the appropriate certificate signature digest from the certificate information dialog available under the release view.

 

0 Kudos
harald_rheindo
Level 2
In response to banna_k
‎Oct 23, 2019 02:34 AM

Hi,

I know these entries in Settings.xml. These URL details in the counter signature only indicate sha1 and not sha256. This does not work with the Verisign URL.
It only works with the Symantec URL, but these URLs will not be valid any more soon.

Thank you for your prompt reply.

Harald

0 Kudos