I’ve been working off and on getting my customer’s old driver ported to the new driver framework and compiling an x64 version. I got the driver working a few months ago, but had to put it on the back burner while they got an EV certificate from IdenTrust. I got the certificate installed and I was able to export a .cer file. I tried to sign the driver using signtool. It found the certificate and tried to sign the driver, but I got the error message
“The specified timestamp server either could not be reached or returned an invalid response”
I double checked and I entered the address of the timestamp server correctly. I tried writing IdenTrust tech support and they said the server address is intended to be entered into an IDE. I tried running the tool with my virus scanner off. Their tech support has not been great.
As I understand it the next step after this is for my customer to set up a Hardware Dashboard account? I thought that was just for drivers included in Windows Update, but comments I’ve seen in other signing threads here indicate it needs to be done for all drivers? This is for industrial hardware with a limited user base who all know where to go for software updates.
Yes… you need a dashboard account.
There’s a lot of good and bad documentation available. Start here, which also points to a good msft doc page.
That is more helpful, but I still have the same problem. I made a .cab file. The article says that the cab file should include the pdb and cat file for the driver, but further down the example only includes the sys and inf files. Are the pdb and cat files required? I included them anyway.
In any case attempting to sign the cab file gets the same error
“The specified timestamp server either could not be reached or returned an invalid response”
IdenTrust claims the URL I’m using is their timestamp server. Windows Firewall is off and virus checker removed from memory for this attempt.
The CAT file is not required. Microsoft throws yours away and builds a new one from scratch. The PDB is optional.
What timestamp URL are you using? I used to use verisign.com, but that stopped working a year or so ago, so I believe I now use digicert.com.
I use IdenTrust’s because it’s an IdenTrust certificate. Can I use any timestamp server?
Here is the command line
signtool sign /v /debug /ac RTICert.cer /s My /n "Company Name" /t "http://timestamp.identrust.com" x86cab\disk1\MTIsaDrv.cab
Company Name is replaced with the actual name of the company
I tried the digitrust server and got the same error
Yes, you can use any timestamp server.
Weird thing, I don’t know what exactly I did, but it finally signed with digicert. I found a list of servers and was going to try one at a time. I put them all in the bat and remarked them out. Digicert was first on the list. I don’t know why it worked this way, but it did.
Now we have to get the Hardware Dashboard account set up and I think we’ll finally have the finish line in sight.
Thanks
signtool sign /v /debug /ac RTICert.cer /s My /n “Company Name” /t “http://timestamp.identrust.com” x86cab\disk1\MTIsaDrv.cab
For what it’s worth, IdenTrust seems to only overtly declare RFC 3161 support, which requires the /TR option instead of /T.
The other “keeps saying my URL isn’t valid” possibility that came to mind seeing your post was HTTP versus HTTPS, either because HTTP won’t leave your site and/or because HTTP might not be supported at their end.
One of the things I tried was using https instead of http. It had an immediate error.