Sign and timestamp manifest files on seperate machines using mage.exe

strong nicholas 21 Reputation points
2021-06-10T08:20:54.087+00:00

My use case is this: I want to be able to sign the EXEs and manifests on an "air gapped" computer, and then on an internet-connected computer add the timestamps. This has been doable with signtool.exe.

The problem I have is with mage.exe. It does not appear to be able to separately sign and then timestamp the signature, which seems odd.

I have tried the following:

mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH%
mage.exe -Update "myapp.exe.manifest" -TimestampUri http://timestamp.comodoca.com

After the sign step, I can examine the manifest and clearly see that it has been signed.
The update step, however, removes the signature completely.

If I do
mage.exe -Sign "myapp.exe.manifest" -CertHash %HASH% -TimestampUri http://timestamp.comodoca.com
It works fine and the manifest is signed and timestamped

The only difference between the signed and signed-and-timestamped manifests is, unsurprisingly, the timestamp info.

So, the question is, is it possible to use mage.exe to sign a manifest and then later on add a timestamp in the way that signtool.exe allows?

Many thanks in advance,
James

C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,857 questions
{count} votes

Accepted answer
  1. Daniel Zhang-MSFT 9,626 Reputation points
    2021-06-11T05:57:18.527+00:00

    Hi strongnicholas-6859,
    As document said that if you have already signed a file with a certificate, -Update will remove the key signature block. This is because the key signature contains a hash of the file, and modifying the file renders the hash invalid.
    And once the exe is signed, it cannot be reset with signtool unless you delete the signature with delcert.exe.
    Best Regards,
    Daniel Zhang


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.