From 9846d29d767a1a833dd8aa06b88f85af0edc0da4 Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Wed, 20 Jun 2018 13:23:04 +0200
Subject: [PATCH] Switch to SHA-256 signing

---
 MSILocal.mak          | Bin 14916 -> 15068 bytes
 Makefile              | Bin 208556 -> 208594 bytes
 README.md             |   2 +-
 include/Debug.props   |   2 +-
 include/Release.props |   2 +-
 5 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/MSILocal.mak b/MSILocal.mak
index 36995ed808ca9d3dc8d94293f74dfd18c02c3734..d7a47fa7e23724d3039c34521ccc9e3b29b06188 100644
GIT binary patch
delta 222
zcmX?7a;J1dfV^ZHLkfceLoq`JLn4C_gDHa<kf+a3!ca6hP+prih{27)nZcOB5GZcA
n`L2E-<K{C8|CmYC<;ytvfhpH!AGJ56>)gCSn~8-)`_j1pq_Z!^

delta 97
zcmcapdZc7SfIMT#<hfefn-|IZu|k<ns!j-I0ORBZJUo;CDa1@ZAjmTLgRaoz0!5d}
h0qQK9-{@E{!*v7IJ>X=UEXT_>S<577vx?CU4glMgA~^s6

diff --git a/Makefile b/Makefile
index 6514f7a6ab625e07c7815ff1398c60cabd3b050c..be26167178f8a3a232fe2e244b6595da2f63971b 100644
GIT binary patch
delta 69
zcmZ2;m*>)5o`x32Elgc0l4%Sn3<?az3>gfG3`Pv53}!%{K0^sZ(RBM1CduhbQkaBz
XgBaWxoEeN641uzS+qb4LeLo2RqDK-~

delta 31
ncmca~muJmgo`x32Elgc0j3v|UQ<x;D?@3`2+I}a6>Dx&F)nE-r

diff --git a/README.md b/README.md
index a0ad9fe..100a91c 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ In order to have the build process digitally sign output files, one should provi
 1. A signing certificate installed in the current user’s certificate store.
 2. The following variables in the environment:
   - `ManifestCertificateThumbprint` - set the value to certificate’s SHA1 thumbprint (hexadecimal, without spaces, i.e. `bc0d8da45f9eeefcbe4e334e1fc262804df88d7e`).
-  - `ManifestTimestampUrl` - set the value to URL used to perform timestamp signature (i.e. `http://timestamp.verisign.com/scripts/timstamp.dll`). In order to perform timestamp signing successfully, the computer running the build should be online and able to access this URL.
+  - `ManifestTimestampRFC3161Url` - set the value to URL used to perform RFC3161 timestamp signature (i.e. `http://sha256timestamp.ws.symantec.com/sha256/timestamp`). In order to perform timestamp signing successfully, the computer running the build should be online and able to access this URL.
 
 Please note that only Release builds are configured for timestamp signing. Debug configurations do not attempt to timestamp sign the resulting DLL and EXE files in order to speed up the building process and enable offline building.
 
diff --git a/include/Debug.props b/include/Debug.props
index 9d655ea..7a0be7d 100644
--- a/include/Debug.props
+++ b/include/Debug.props
@@ -39,7 +39,7 @@
   <ItemGroup />
   <Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
     <Message Text="Signing output file..." />
-    <SignFile CertificateThumbprint="$(ManifestCertificateThumbprint)" SigningTarget="$(OutDir)$(TargetName)$(TargetExt)" />
+    <Exec Command="signtool.exe sign /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /q &quot;$(OutDir)$(TargetName)$(TargetExt)&quot;" />
     <Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
   </Target>
 </Project>
\ No newline at end of file
diff --git a/include/Release.props b/include/Release.props
index 8e73d43..4eddaa6 100644
--- a/include/Release.props
+++ b/include/Release.props
@@ -43,7 +43,7 @@
   <ItemGroup />
   <Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
     <Message Text="Signing output file..." />
-    <SignFile CertificateThumbprint="$(ManifestCertificateThumbprint)" TimestampUrl="$(ManifestTimestampUrl)" SigningTarget="$(OutDir)$(TargetName)$(TargetExt)" />
+    <Exec Command="signtool.exe sign /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /tr &quot;%ManifestTimestampRFC3161Url%&quot; /q &quot;$(OutDir)$(TargetName)$(TargetExt)&quot;" />
     <Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
   </Target>
 </Project>
\ No newline at end of file