7654 – Windows installer signing failing

Bug 7654 - Windows installer signing failing

Summary: Windows installer signing failing

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Client platforms (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.13.0
Assignee:	Pierre Ossman

URL:
Keywords:	nikle_tester, prosaic

Depends on:
Blocks:

Reported:	2021-03-04 11:04 CET by Pierre Ossman
Modified:	2021-03-19 12:33 CET (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2021-03-04 11:04:25 CET

For the last few days we're getting this error when trying to sign our windows installer:

> Failed to convert timestamp reply from http://timestamp.globalsign.com/?signature=sha2; HTTP status 415
> 4154365632:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:
> 4154365632:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=TimeStampResp
> RFC 3161 timestamping failed

415 is "unsupported media type" so it seems globalsign has changed something. However I'm unable to find anyone else having this issue, or any new information from globalsign.

Another thread[1] for globalsign timestamp issues does mention a change of URL though, from "http://timestamp.globalsign.com/?signature=sha2" to "https://rfc3161timestamp.globalsign.com/advanced".

Our curl doesn't support https for some reason, but when changing the URL to http then the signing suddenly starts working. I can also verify that Windows accepts the signature.

[1] https://developercommunity.visualstudio.com/t/impossible-to-sign-code-with-globalsign/1324584

Comment 2 Pierre Ossman cendio

2021-03-04 15:44:51 CET

Tested build with URL changed and Windows gladly accepts those signature. Considering fixed.

Comment 3 Niko Lehto cendio

2021-03-05 11:10:51 CET

I could reproduce this issue by trying to make an older commit (r36246) that was working at the time of commit, but this time I got the same error as in comment #0.
Tested nightly build (6767) on Windows 10. The signatures seems to be ok!

Comment 4 Pierre Ossman cendio

2021-03-19 08:56:45 CET

Something is wrong again:

> osslsigncode -pkcs12 /var/lib/jenkins/jobs/thinlinc_client/workspace/pki/codesign_windows.p12 -pass `cat /etc/codesign.pass` -n "ThinLinc Client" -i "http://www.cendio.com/" -comm -ts 'http://rfc3161timestamp.globalsign.com/advanced' -h sha256 -in installer/customizer.exe -out tl-4.12.1post-client-customizer.exe || cp installer/customizer.exe tl-4.12.1post-client-customizer.exe
> Failed to convert timestamp reply from http://rfc3161timestamp.globalsign.com/advanced; HTTP status 302
> 4154963648:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:
> 4154963648:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=TimeStampResp
> RFC 3161 timestamping failed

Comment 5 Pierre Ossman cendio

2021-03-19 12:33:21 CET

Never mind. Works fine again. Temporary server glitch I guess.

Note You need to log in before you can comment on or make changes to this bug.