.png){kind=logo}
The MS Authenticode Timestamp Signer is compatible with the Microsoft Authenticode Time Stamping code signing.
Fully qualified class name: org.signserver.server.signers.tsa.MSAuthCodeTimeStampSigner.
Overview
By default, the MS SignTool expects a MS Authenticode Timestamp Signer. Though you can set the TSA as Authenticode, this is the legacy format and not preferable. Instead, set the TSA to use RFC#3161. See Timestamp Signer for more information.
In the MS SignTool, use the /t flag to specify the URL of the MS Authenticode Timestamp server.
To download a sample configuration file for this Worker, see Sample Worker Configurations.
For information on the interfaces this Worker can be called through, see Supported Interfaces by Worker.
Available Properties
|
Property |
Default |
Description |
|---|---|---|
|
INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE |
False |
(Optional) Specifies if the signing certificate attribute (id-aa-signingCertificate) [RFC2634] should be included in the response. |
|
SIGNATUREALGORITHM |
SHA256withRSA |
Property specifying the algorithm used to sign the timestamp. |
|
TIMESOURCE |
None |
(Optional) Property containing the fully qualified name of the class implementing the ITimeSource that should be used. This property has the same values as for the Timestamp Signer. |
Howto
There is a howto about testing Authenticode signing available in doc/howtos/test_ms_authcode.txt.
Certificate Requirements
-
A timestamp signer certificate must have the extended key usage extension present and marked as critical.
-
The extended key usage extension must contain the timeStamping key purpose ID and only that one.