My use case is this: I want to be able to sign the EXEs and manifests on an "air gapped" computer, and then on an internet-connected computer add the timestamps. This has been doable with signtool.exe.
The problem I have is with mage.exe. It does not appear to be able to separately sign and then timestamp the signature, which seems odd.
I have tried the following:
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH%
mage.exe -Update "myapp.exe.manifest" -TimestampUri http://timestamp.comodoca.com
After the sign step, I can examine the manifest and clearly see that it has been signed.
The update step, however, removes the signature completely.
If I do
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH% -TimestampUri http://timestamp.comodoca.com
It works fine and the manifest is signed and timestamped
The only difference between the signed and signed-and-timestamped manifests is, unsurprisingly, the timestamp info.
So, the question is, is it possible to use mage.exe to sign a manifest and then later on add a timestamp in the way that signtool.exe allows?
Many thanks in advance,
James
