question

strongnicholas-6859 avatar image
0 Votes"
strongnicholas-6859 asked DanielZhang-MSFT commented

Sign and timestamp manifest files on seperate machines using mage.exe

My use case is this: I want to be able to sign the EXEs and manifests on an "air gapped" computer, and then on an internet-connected computer add the timestamps. This has been doable with signtool.exe.

The problem I have is with mage.exe. It does not appear to be able to separately sign and then timestamp the signature, which seems odd.

I have tried the following:

mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH%
mage.exe -Update "myapp.exe.manifest" -TimestampUri http://timestamp.comodoca.com

After the sign step, I can examine the manifest and clearly see that it has been signed.
The update step, however, removes the signature completely.

If I do
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH% -TimestampUri http://timestamp.comodoca.com
It works fine and the manifest is signed and timestamped

The only difference between the signed and signed-and-timestamped manifests is, unsurprisingly, the timestamp info.

So, the question is, is it possible to use mage.exe to sign a manifest and then later on add a timestamp in the way that signtool.exe allows?

Many thanks in advance,
James

dotnet-csharp
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is graphically what I want to achieve, in case it helps.

104680-ikiw3.png


0 Votes 0 ·
ikiw3.png (82.1 KiB)

1 Answer

DanielZhang-MSFT avatar image
0 Votes"
DanielZhang-MSFT answered DanielZhang-MSFT commented

Hi strongnicholas-6859,
As document said that if you have already signed a file with a certificate, -Update will remove the key signature block. This is because the key signature contains a hash of the file, and modifying the file renders the hash invalid.
And once the exe is signed, it cannot be reset with signtool unless you delete the signature with delcert.exe.
Best Regards,
Daniel Zhang


If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daniel,

Thanks for the response. I think the hash contained in the key signature block cannot be a hash of the file plus signature & timestamp otherwise it be a circular problem. It must be a hash of the file contents without the key signature. I have seen this by looking at the diff between a signed manifest and a signed-and-timestamped manifest. There appears to be no difference other than the addition of the timestamp. No hashes contained in the manifest were otherwise changed.

The exe signing is fine. Signtool.exe allows me to sign it and then timestamp it later on. It's mage.exe that doesn't appear to let me do this. It seems it only supports signing and timestamping simultaneously.

Do you know if mage.exe can split the two operations in the same way as signtool.exe?

Thaks,
James

0 Votes 0 ·

Hi @strongnicholas-6859,
As mentioned above, the Update command removes the key signature block that has been set.
So I am afraid that mage.exe does not support separate signature and time stamp.
Best Regards,
Daniel Zhang

0 Votes 0 ·