Fix failing authenticode timestamping for Electron builds • Steven Rombauts

One of my Electron applications suddenly started complaining during the code-signing step in our Travis build process. The error looked like this:

  • signing         file=dist/win-unpacked/vcruntime140.dll certificateFile=/tmp/temp-dir-ddP9es/7.p12
Error: Exit code: 255. Command failed: […]electron-builder/winCodeSign/winCodeSign-2.1.0/linux/osslsigncode […] (sha256 hash) failure: Failure when receiving data from the peer
authenticode timestamping failed
Failed
CURL failure: Failure when receiving data from the peer
authenticode timestamping failed

Strangely enough, this error only occurs after multiple successful calls to the osslsigncode command. I was not able to confirm it, but my guess is that the timestamp server is rate limiting these requests.

The solution is rather easy: use another timestamp server! The timestampServer configuration option in electron-builder allows you to set a different one.

I’ve added the following to my electron-builder.yml file to make it work:

win:
  timeStampServer: "http://timestamp.globalsign.com/scripts/timstamp.dll"

I’m building the Windows executable on Linux using Wine and this did the trick.

If you are building on Windows, you should be able to solve this by changing the signingHashAlgorithms to sha256 only, if possible.

Looking at the code in electron-builder’s packages/app-builder-lib/src/codeSign/windowsCodeSign.ts, this will use the default RFC 3161 timestamping server. That server points to http://timestamp.comodoca.com/rfc3161 by default, which is different from the default timeStampServer as well:

win:
  signingHashAlgorithms: 
   - sha256

I found the following alternative timeStampServer values to use (note: I have not tried all of them myself yet so YMMV):

Hope that helps!