Code signing / Timestamp

Add-in Express™ Support Service
That's what is more important than anything else

Code signing / Timestamp
 
ewessely




Posts: 55
Joined: 2019-01-31
Hi,
I'm trying to sign my Addin with a codesigning certificate following the instructions in the docu.
My Addin <myAddin>.dll is signed AND timestampt sha1 and sha256 correctly
BUT:
adxloader.<myAddIn>.dll and adxloader64.<myAddIn>.dll are signed sha1 and sha256 but NOT timestamped.

I'm not an expert in signing, but doesn't that mean the signature without a timestamp gets invalid after expiration of the certificate? And Excel is loading the AddIn via the adxloader and would recognize the addin as not signed?

I'm using an official codesigning certificate from Sectigo/Comodo

br
Erich
ew
Posted 31 Oct, 2019 06:40:25 Top
Andrei Smolin


Add-in Express team


Posts: 18794
Joined: 2006-05-11
Hello Erich,

I've specified an Add-in Express certificate and a time-stamp server. When I build the add-in the assembly and the loaders become signed and time-stamped.

Do you get any warnings when rebuilding your add-in project?

As to you question, here's what they write at https://www.digicert.com/blog/best-practices-timestamping/:

Note that the signature on your executable is checked every time the user runs it. This means that if your certificate expires and there is no timestamp, the software will suddenly stop working for all your users.



Andrei Smolin
Add-in Express Team Leader
Posted 31 Oct, 2019 07:41:25 Top
ewessely




Posts: 55
Joined: 2019-01-31
Hello Andrei,
wow - very prompt :-)

The good news first:
I set up the signing from scratch and now all is signed and timestamped correctly :-)

The "bad" news:
Maybe by design or a bug - but it's reproduceable (and as far as I remember I did it that way when enabling signing the first time - I did't know the url of the timeservers)...

Steps to reproduce:
-set signing options but without timestamp server
-compile -> all dlls are signed without timestamp (expected)
-add timestamp server
-compile -> only the addin gets timestamped not the adxloader (also when you clear the bin and obj folder before compiling)

Repair:
-remove signing (uncheck in your dialog)
-delete all from bin and obj (just to be sure)
-recompile (nothing is signed as expected)
-enable signing with including the timeserver settings
-recompile -> WORKING :-)

Best regards and many thanks for help
Erich
ew
Posted 31 Oct, 2019 08:05:01 Top
Andrei Smolin


Add-in Express team


Posts: 18794
Joined: 2006-05-11
Hello Erich,

I've reproduced the issue. Thank you very much for pointing us to it!

The issue is now filed down under #16669 in our issue-tracking DB. When this bug is fixed, you'll find this number in whatsnew.txt.

Thank you very much!


Andrei Smolin
Add-in Express Team Leader
Posted 31 Oct, 2019 08:20:41 Top