We are working on optimizing the digital signing process using the signtool.exe digest options. So far the workflow looks like this:
- Create the digest on the client: signtool.exe sign /f cert /fd sha256 /dg . MyFile.dll
- Send MyFile.dll.dig digest to our signing server.
- Sign digest on the signing server: signtool.exe sign /f cert /fd sha256 /ds MyFile.dll.dig
- Send the signature MyFile.dll.dig.signed back to the client.
- Create signature on the client: signtool.exe sign /di .MyFile.dll
- Add a timestamp on the client: signtool.exe timestamp /tr http://some_timestamp_server /td sha256 MyFile.dll
Is there a way to perform timestamping on the signing server?
No, not without transferring the entire file to your signing server. The timestamping is an operation applied directly to the file itself, so the file must exist locally. Your remote signing service only works because only the digest needs to be signed, not the full binary. However, as you pointed out you still need to ingest the signed digest locally using the
/disigntool option.What you can do is create a custom tool to programmatically sign and timestamp a file according to your requirements. See this Microsoft article for how to use
SignerSignEx2function which supports timestamping.https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-programmatically-sign-a-package?redirectedfrom=MSDN
You've may have already seen this, but I would also look at the AzureSignTool repo which uses the undocumented
SignerSignEx3function to perform the signing using a callback. You could reasonably replace the Azure functionality with a call to some other custom signing service.