MS Authenticode Timestamp Signer
The class name is: org.signserver.server.signers.tsa.MSAuthCodeTimeStampSigner.
Overview
This timestamp signer is compatible with the Microsoft Authenticode Time Stamping code signing.
By default, the MS SignTool expects a MS Authenticode Timestamp Signer. Though you can set the TSA as Authenticode, this is the legacy format and not preferable. Instead, set the TSA to use RFC#3161. See Timestamp Signer for more information.
In the MS SignTool, use the /t flag to specify the URL of the MS Authenticode Timestamp server.
To download a sample configuration file for this worker, see Sample Worker Configurations.
For information on the interfaces this worker can be called through, see Supported Interfaces by Worker.
Available Properties
Property | Default | Description |
|---|---|---|
INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE | False | (Optional) Specifies if the signing certificate attribute (id-aa-signingCertificate) [RFC2634] should be included in the response. |
SIGNATUREALGORITHM | SHA256withRSA | Property specifying the algorithm used to sign the timestamp. |
TIMESOURCE | None | (Optional) Property containing the fully qualified name of the class implementing the ITimeSource that should be used. This property has the same values as for the Timestamp Signer. |
Howto
There is a howto about testing Authenticode signing available in doc/howtos/test_ms_authcode.txt.
Certificate Requirements
A timestamp signer certificate must have the extended key usage extension present and marked as critical.
The extended key usage extension must contain the timeStamping key purpose ID and only that one.