I use the following batch file which loops a max of 300 times. There are two arguments, %1 is the path to a folder containing the batch file, pfx file and signtool.exe. %2 is the full path to the file being signed. You can call this in your visual studio post build event with something like call “$(SolutionDir)thirdparty\signing\sign.bat” “$(SolutionDir)thirdparty\signing” “$(TargetPath)”
I have modified this batch file to use different timestamp servers in each iteration. Currently it uses Comodo, Verisign, GlobalSign and Starfield. Hopefully this is The Ultimate Signing Script 😉
@echo off
REM create an array of timestamp servers...
set SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
%1\signtool.exe sign /f %1\comodo.pfx /p videodigital %2
set timestampErrors=0
for /L %%a in (1,1,300) do (
for %%s in %SERVERLIST% do (
REM try to timestamp the file. This operation is unreliable and may need to be repeated...
%1\signtool.exe timestamp /t %%s %2
REM check the return value of the timestamping operation and retry a max of ten times...
if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
echo Signing failed. Probably cannot find the timestamp server at %%s
set /a timestampErrors+=1
)
REM wait 2 seconds...
choice /N /T:2 /D:Y >NUL
)
REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0
I also put http://timestamp.comodoca.com into the trusted sites (thanks Vince). I think that may be an important step. I updated the root certificates on the PC too.