Bug 7654 - Windows installer signing failing
Summary: Windows installer signing failing
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.13.0
Assignee: Pierre Ossman
Keywords: nikle_tester, prosaic
Depends on:
Reported: 2021-03-04 11:04 CET by Pierre Ossman
Modified: 2021-03-19 12:33 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2021-03-04 11:04:25 CET
For the last few days we're getting this error when trying to sign our windows installer:

> Failed to convert timestamp reply from http://timestamp.globalsign.com/?signature=sha2; HTTP status 415
> 4154365632:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:
> 4154365632:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=TimeStampResp
> RFC 3161 timestamping failed

415 is "unsupported media type" so it seems globalsign has changed something. However I'm unable to find anyone else having this issue, or any new information from globalsign.

Another thread[1] for globalsign timestamp issues does mention a change of URL though, from "http://timestamp.globalsign.com/?signature=sha2" to "https://rfc3161timestamp.globalsign.com/advanced".

Our curl doesn't support https for some reason, but when changing the URL to http then the signing suddenly starts working. I can also verify that Windows accepts the signature.

[1] https://developercommunity.visualstudio.com/t/impossible-to-sign-code-with-globalsign/1324584
Comment 2 Pierre Ossman cendio 2021-03-04 15:44:51 CET
Tested build with URL changed and Windows gladly accepts those signature. Considering fixed.
Comment 3 Niko Lehto cendio 2021-03-05 11:10:51 CET
I could reproduce this issue by trying to make an older commit (r36246) that was working at the time of commit, but this time I got the same error as in comment #0.
Tested nightly build (6767) on Windows 10. The signatures seems to be ok!
Comment 4 Pierre Ossman cendio 2021-03-19 08:56:45 CET
Something is wrong again:

> osslsigncode -pkcs12 /var/lib/jenkins/jobs/thinlinc_client/workspace/pki/codesign_windows.p12 -pass `cat /etc/codesign.pass` -n "ThinLinc Client" -i "http://www.cendio.com/" -comm -ts 'http://rfc3161timestamp.globalsign.com/advanced' -h sha256 -in installer/customizer.exe -out tl-4.12.1post-client-customizer.exe || cp installer/customizer.exe tl-4.12.1post-client-customizer.exe
> Failed to convert timestamp reply from http://rfc3161timestamp.globalsign.com/advanced; HTTP status 302
> 4154963648:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:
> 4154963648:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=TimeStampResp
> RFC 3161 timestamping failed
Comment 5 Pierre Ossman cendio 2021-03-19 12:33:21 CET
Never mind. Works fine again. Temporary server glitch I guess.

Note You need to log in before you can comment on or make changes to this bug.