To sign your code and documents, you pass the code and documents that you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate.
Tools like Microsoft's SignTool let you timestamp the signature block based on the current date and time that a timestamping service provider, such as Sectigo, provides. Finally, you bind the timestamped signature block to the original code or document, which you can now publish on your Web site for download.
As part of this process, you will need to know the URL of Sectigo's timestamping server:
There are two popular timestamping protocols, which are both supported by our time-stamping server:
- RFC 3161 timestamping is used by SignTool (using the "/tr" parameter) and other applications (such as jarsigner). Our timestamping server automatically selects the appropriate signature algorithm (RSA/SHA-256, RSA/SHA-384, or RSA/SHA-512) with which to sign each timestamp, based on the hash algorithm you specify (e.g., via SignTool's "/td" parameter).
- Authenticode timestamping is used by older versions of SignTool (using the "/t" parameter) and SignCode. Due to this protocol's design, it is not possible for our timestamping server to automatically select the appropriate signature algorithm. We currently use RSA/SHA-384 by default. However, you may request a different signature algorithm by appending "?td=<hash_algorithm>" to the URL. e.g., http://timestamp.sectigo.com?td=sha256.
If you are timestamping several items with a script, please add a delay of 15 seconds or more between each one so that you're not hammering our servers.
If you require a timestamping service compliant with eIDAS, please use the following time-stamping server URL instead - http://timestamp.sectigo.com/qualified.