http://timestamp.geotrust.com/tsa 不再可用于 SignTool 了吗?
Is http://timestamp.geotrust.com/tsa not longer available for SignTool?
我们在构建服务器上签署我们的可执行文件。构建服务器突然无法构建并给出错误:
SingTool Error: The sepcified timestamp server either could not be reached or returned an invalid response.
将时间戳服务器更改为 http://sha256timestamp.ws.symantec.com/sha256/timestamp 后,唱歌又可以了。
- 我们的旧 url 有什么问题吗?为什么它不再可用?
- 旧的签名文件或新的 url 是否存在一些(安全)问题?
我知道这有点宽泛我只是不想错过任何东西...
我从 2017 年 4 月 21 日开始遇到了同样的 TSA 问题。从 https://timestamp.geotrust.com/tsa to http://sha256timestamp.ws.symantec.com/sha256/timestamp 切换也解决了我们的问题,因此感谢您的指点。我使用旧 URL 收到的具体错误是 jarsigner 返回 "java.net.socketException: software caused connection abort: recv failed."
Verisign 知识库文章 AR185,更新于 2017 年 3 月 16 日,推荐使用 jarsigner 参数“-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp" where it used to recommend https://timestamp.geotrust.com/tsa。此文档更改向我建议禁用 URL 可能是故意的,但我不知道这是否对使用旧时间戳服务器签名的 JAR 的信任级别有任何影响。
我问过 Symantec,所以他们发给我这个 link:https://knowledge.symantec.com/support/partner/index?page=content&id=NEWS10071&viewlocale=en_US
By April 18, 2017, Symantec will decommission the "Legacy"
timestamping service.
(Legacy) RFC 3161 SHA128 Timestamp Service:
https://timestamp.geotrust.com/tsa
To support business continuity for our customers, we have provided the
following replacement services.
(New) RFC 3161 Service SHA256:
http://sha256timestamp.ws.symantec.com/sha256/timestamp
Important: Customers must leverage SHA256 Timestamping service going
forward, and should not use a SHA1 service unless there is a legacy
platform constraint which doesn't allow use of SHA2 service (in this
case you can use this new URL: RFC 3161 Service SHA128:
http://sha1timestamp.ws.symantec.com/sha1/timestamp).
Background and Key Industry Mandates affecting the Timestamping
services
To comply with Minimum Requirements for Code Signing (CSMRs) published
by CA Security Council and Microsoft Trusted Root Program Requirements
(section 3.14), Symantec has set up the "new" RFC 3161 (SHA1 and SHA2)
service as per specifications and requirements laid out by section
16.1 which requires FIPS 140-2 Level 3 key protection. In the near future, Oracle will be taking steps to remove SHA1 support for both
Java signing and timestamping. This will not impact Java applications
that were previously signed or timestamped with SHA1 as these will
continue to function properly. However, Java applications signed or
timestamped with SHA1 after Oracle's announced date may not be
trusted.
正在link 获取来自另一个提供商的时间戳:
您也可以试试:
您可以选择 KeyStore Explorer(具有良好 GUI 的签名工具)。它有默认值,不工作 link http://timestamp.geotrust.com/tsa
如果是这样,请不要忘记将选项 TSA URL(添加时间戳)中的无效 link 更改为其他有效选项。
例如,这个选项 (link) 对我很有效:
http://tsa.starfieldtech.com
我们在构建服务器上签署我们的可执行文件。构建服务器突然无法构建并给出错误:
SingTool Error: The sepcified timestamp server either could not be reached or returned an invalid response.
将时间戳服务器更改为 http://sha256timestamp.ws.symantec.com/sha256/timestamp 后,唱歌又可以了。
- 我们的旧 url 有什么问题吗?为什么它不再可用?
- 旧的签名文件或新的 url 是否存在一些(安全)问题?
我知道这有点宽泛我只是不想错过任何东西...
我从 2017 年 4 月 21 日开始遇到了同样的 TSA 问题。从 https://timestamp.geotrust.com/tsa to http://sha256timestamp.ws.symantec.com/sha256/timestamp 切换也解决了我们的问题,因此感谢您的指点。我使用旧 URL 收到的具体错误是 jarsigner 返回 "java.net.socketException: software caused connection abort: recv failed."
Verisign 知识库文章 AR185,更新于 2017 年 3 月 16 日,推荐使用 jarsigner 参数“-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp" where it used to recommend https://timestamp.geotrust.com/tsa。此文档更改向我建议禁用 URL 可能是故意的,但我不知道这是否对使用旧时间戳服务器签名的 JAR 的信任级别有任何影响。
我问过 Symantec,所以他们发给我这个 link:https://knowledge.symantec.com/support/partner/index?page=content&id=NEWS10071&viewlocale=en_US
By April 18, 2017, Symantec will decommission the "Legacy" timestamping service.
(Legacy) RFC 3161 SHA128 Timestamp Service: https://timestamp.geotrust.com/tsa
To support business continuity for our customers, we have provided the following replacement services.
(New) RFC 3161 Service SHA256: http://sha256timestamp.ws.symantec.com/sha256/timestamp
Important: Customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn't allow use of SHA2 service (in this case you can use this new URL: RFC 3161 Service SHA128: http://sha1timestamp.ws.symantec.com/sha1/timestamp).
Background and Key Industry Mandates affecting the Timestamping services
To comply with Minimum Requirements for Code Signing (CSMRs) published by CA Security Council and Microsoft Trusted Root Program Requirements (section 3.14), Symantec has set up the "new" RFC 3161 (SHA1 and SHA2) service as per specifications and requirements laid out by section 16.1 which requires FIPS 140-2 Level 3 key protection. In the near future, Oracle will be taking steps to remove SHA1 support for both Java signing and timestamping. This will not impact Java applications that were previously signed or timestamped with SHA1 as these will continue to function properly. However, Java applications signed or timestamped with SHA1 after Oracle's announced date may not be trusted.
正在link 获取来自另一个提供商的时间戳:
您也可以试试:
您可以选择 KeyStore Explorer(具有良好 GUI 的签名工具)。它有默认值,不工作 link http://timestamp.geotrust.com/tsa 如果是这样,请不要忘记将选项 TSA URL(添加时间戳)中的无效 link 更改为其他有效选项。
例如,这个选项 (link) 对我很有效: http://tsa.starfieldtech.com