Update signing timestamp servers and protocol (#253)

bpintea · bpintea · commit c292587baedc · 2020-07-22T09:24:33.000+02:00
This commit adds a few fallback servers that signtool.exe will run against, in case there's an error in the signing process. It also switches to using the RFC3161 format and SHA256 dig. algorithm. signtool.exe will now be run in debug mode. (cherry picked from commit 2c41f12)
diff --git a/installer/build/scripts/Build.fsx b/installer/build/scripts/Build.fsx
@@ -57,12 +57,15 @@ module Builder =
             tracefn "Signing MSI"
             let certificate = getBuildParam "certificate"
             let password = getBuildParam "password"
-            let timestampServer = "http://timestamp.comodoca.com"
             let timeout = TimeSpan.FromMinutes 1.
+            let timestampServers = ["http://timestamp.digicert.com" ; "http://timestamp.comodoca.com" ;
+                                    "http://timestamp.globalsign.com/scripts/timestamp.dll" ; "http://tsa.starfieldtech.com" ;
+                                    "http://zeitstempel.dfn.de"]
 
-            let sign () =
+            let sign timestampServer =
                 let signToolExe = ToolsDir @@ "signtool/signtool.exe"
-                let args = ["sign"; "/f"; certificate; "/p"; password; "/t"; timestampServer; "/d"; "\"Elasticsearch ODBC Driver\""; "/v"; file] |> String.concat " "
+                let args = ["sign"; "/debug" ; "/f"; certificate; "/p"; password; "/tr"; timestampServer; "/td" ; "SHA256" ;
+                            "/d"; "\"Elasticsearch ODBC Driver\""; "/v"; file] |> String.concat " "
                 let redactedArgs = args.Replace(password, "<redacted>")
 
                 use proc = new Process()
@@ -94,8 +97,16 @@ module Builder =
                 proc.WaitForExit()
                 proc.ExitCode
 
-            let exitCode = sign()
-            if exitCode <> 0 then failwithf "Signing returned error exit code: %i" exitCode
+            let mutable notSigned = true
+            for server in timestampServers do
+                if notSigned then
+                    let exitCode = sign server
+                    if (exitCode = 0) then
+                        notSigned <- false
+                    else
+                        tracefn "Signing with a timestamp from %s failed with code: %i" server exitCode
+            if notSigned then failwithf "Signing failed"
+            else tracefn "Signing succeeded."
 
     // Using DotNetZip due to errors with CMAKE zip files: https://github.com/fsharp/FAKE/issues/775
     let unzipFile(zipFolder: string, unzipFolder: string) =
