1

I'm wondering if there exists any trusted third-party service that I can submit a file, or just a signature of a file, and get back a signature of that file signed with the timestamp of when it was signed.

Does any such service exist?

I'm not looking for something complicated like a block chain - just a simple service that uses GPG or something similar.

Jacob Brown
  • 255
  • 2
  • 7
  • If you search for "time stamping authority" there are several that come up. Whether these are "trusted" depends on who you need to trust them. – AndrolGenhald Aug 02 '18 at 02:35
  • 1
    AFAICT pretty much everybody doing this uses [RFC3161](https://tools.ietf.org/html/rfc3161) which signs a _hash_ (it never sees the actual data) using CMS (formerly known as PKCS7). That is similar to GPG for sufficiently small values of similar. – dave_thompson_085 Aug 02 '18 at 04:41

1 Answers1

3

A line from a build script I used a few years ago:

signtool sign /v /f <REDACTED> /p <REDACTED> /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll %1

That is, using the Windows SDK's signtool.exe to request that Verisign (now Symantec) timestamp the signature of the file I was compiling. Ironically, the domain timestamp.verisign.com is unavailable over HTTPS (although this doesn't really matter; no meaningfully sensitive data was being passed and I could of course verify the timestamp signature against a known key).

You may be able to find other public timestamping authorities; that's just one I was shown by somebody else working on a similar problem. Also, note that signtool.exe has a separate parameter (/tr vs. /t) for RFC 3161 URLs, which suggests that the URL I provided is not RFC 3161 compliant.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Oh sweet thanks! It sounds like that command is Windows specific, and I was looking for something more of an open standard, so I looked more into the RFC 3161 and it sounds like what I was looking for. After some more searching based on that RFC, I found https://en.wikipedia.org/wiki/Trusted_timestamping and https://www.openssl.org/docs/manmaster/man1/ts.html which also seem useful for people who are interested in using this kind of timestamp verification. Does the Verisign/Symantec service cost money, or is it a free service? I was thinking someone must have setup a free service to this. – Jacob Brown Aug 03 '18 at 20:27
  • @JacobBrown It is free to use the service at that URL; no authentication is needed. `signtool.exe` is specifically for Microsoft's Authenticode signatures (it may be able to do other kinds of signing, but I've never used it for that). I suspect the wire protocol it uses to talk to the server is, if not technically a standard, platform-agnostic and easy enough to implement anyhow. – CBHacking Aug 05 '18 at 05:21