MS Authenticode Time Stamp Signer
The class name is: org.signserver.server.signers.tsa.MSAuthCodeTimeStampSigner.
Overview
This time stamp signer is compatible with the Microsoft Authenticode Time Stamping code signing.
By default, the MS SignTool expects a MS Authenticode Time Stamp Signer. Though you can set the TSA as Authenticode, this is the legacy format and not preferable. Instead, set the TSA to use RFC#3161. See Time Stamp Signer for more information.
In the MS SignTool, use the /t flag to specify the URL of the MS Authenticode Time Stamp server.
Available Properties
Property | Description |
|---|---|
INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE | (Optional) Specifies if the signing certificate attribute (id-aa-signingCertificate) [RFC2634] should be included in the response. Default: False. |
SIGNATUREALGORITHM | Property specifying the algorithm used to sign the timestamp. Default: SHA256withRSA. |
TIMESOURCE | (Optional) Property containing the fully qualified name of the class implementing the ITimeSource that should be used. This property has the same values as for TimeStampSigner. |
Howto
There is a howto about testing Authenticode signing available in doc/howtos/test_ms_authcode.txt.
Certificate Requirements
A time-stamp signer certificate must have the extended key usage extension present and marked as critical.
The extended key usage extension must contain the timeStamping key purpose ID and only that one.