A line from a build script I used a few years ago:
signtool sign /v /f <REDACTED> /p <REDACTED> /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll %1
That is, using the Windows SDK's signtool.exe
to request that Verisign (now Symantec) timestamp the signature of the file I was compiling. Ironically, the domain timestamp.verisign.com is unavailable over HTTPS (although this doesn't really matter; no meaningfully sensitive data was being passed and I could of course verify the timestamp signature against a known key).
You may be able to find other public timestamping authorities; that's just one I was shown by somebody else working on a similar problem. Also, note that signtool.exe
has a separate parameter (/tr
vs. /t
) for RFC 3161 URLs, which suggests that the URL I provided is not RFC 3161 compliant.