Merge 1.4 maintanace changes into develop (#239)

* Use alternative timeserver

Co-authored-by: Martin Multhaupt <[email protected]>
Co-authored-by: MMulthaupt <[email protected]>
Co-authored-by: Marc-André Aßbrock <[email protected]>

Author: 3 people

CHANGES.md

@@ -15,6 +15,10 @@
 * trivrost will no longer attempt to repeat range requests to a host after it has failed to conformly respond while displaying the confusing message `Taking longer than usual: HTTP Status 200` and will now fail immediately in such cases instead.
 * trivrost will no longer fail to comply with HTTP 2 strictly using lower-case HTTP Header names. This had been caused by methods of `http.Header` still being oriented around HTTP 1 canonical header names due to Go's backwards compatibility promise.
 
+## 1.4.6 (2021-01-25)
+### Fixes
+* Windows binary signing: Use RFC-3161 timestamp server with sha 256 config. SHA-1 ciphers are considered deprecated. Nothing should change for the enduser.
+
 ## 1.4.5 (2021-01-04)
 ### Fixes
 * Switch timestamp server for signing from Verisign to Globalsign.

Makefile

@@ -32,7 +32,7 @@ ifndef VERSIONOK
 endif
 $(info GIT description: '${GITDESC}' (latest master: '${LAUNCHER_VERSION}'), GIT branch '${GITBRANCH}', GIT hash '${GITHASH}')
 
-TIMESTAMP_SERVER = 'http://timestamp.globalsign.com/scripts/timstamp.dll'
+TIMESTAMP_SERVER = 'http://rfc3161timestamp.globalsign.com/advanced'
 
 #
 # Detect OS
@@ -150,7 +150,7 @@ ifndef CERT_KEY
 endif
 	$(info Signing windows release files...)
 	echo "$${CERT_FILE}" | base64 -d > ~tmp_launcher_cert
-	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /t ${TIMESTAMP_SERVER} /fd SHA512 "${UPDATE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}.exe"
+	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /tr ${TIMESTAMP_SERVER} /td SHA256 /fd SHA512 "${UPDATE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}.exe"
 	rm ~tmp_launcher_cert
 endif
 
@@ -166,8 +166,8 @@ ifneq (${OS},windows)
 else
 	$(info Signing windows release files...)
 	echo "$${CERT_FILE}" | base64 -d > ~tmp_launcher_cert
-	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /t ${TIMESTAMP_SERVER} /fd SHA512 "${RELEASE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}_386.msi"
-	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /t ${TIMESTAMP_SERVER} /fd SHA512 "${RELEASE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}_amd64.msi"
+	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /tr ${TIMESTAMP_SERVER} /td SHA256 /fd SHA512 "${RELEASE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}_386.msi"
+	@signtool sign /debug /a /v /d "${LAUNCHER_BRANDING_NAME}" /f ~tmp_launcher_cert /p "${CERT_KEY}" /tr ${TIMESTAMP_SERVER} /td SHA256 /fd SHA512 "${RELEASE_FILES_DIR}/${OS}/${LAUNCHER_PROGRAM_NAME}_amd64.msi"
 	rm ~tmp_launcher_cert
 endif