The signtool-sign build process executes signtool with the /t flag. This requires network connection every time, which is inconvenient for offline work.
|
command = "signtool" |
|
args = [ |
|
"sign", |
|
"/v", |
|
"/s", |
|
"WDRTestCertStore", # FIXME: this should be a parameter |
|
"/n", |
|
"WDRLocalTestCert", # FIXME: this should be a parameter |
|
"/t", |
|
"http://timestamp.digicert.com", |
I propose to remove this flag.
While specifying /t is not inherently a bad idea, the benefit of that with wdk-build is effectively none given signing with this project is done with merely WDRLocalTestCert and not meant for production releases. In other words, while adding a timestamp with /t keeps the signature valid even after the certificate has expired (ref), but practically no one would care about this situation, put aside that it has a quite long validity (15 years on my env). If they do care, they would be signing with their own certs and commands like requested in #588. So, overall, invoking signtool with /t only makes the use of this project difficult with no practical value.
The
signtool-signbuild process executessigntoolwith the/tflag. This requires network connection every time, which is inconvenient for offline work.windows-drivers-rs/crates/wdk-build/rust-driver-makefile.toml
Lines 475 to 484 in 547b792
I propose to remove this flag.
While specifying
/tis not inherently a bad idea, the benefit of that with wdk-build is effectively none given signing with this project is done with merelyWDRLocalTestCertand not meant for production releases. In other words, while adding a timestamp with/tkeeps the signature valid even after the certificate has expired (ref), but practically no one would care about this situation, put aside that it has a quite long validity (15 years on my env). If they do care, they would be signing with their own certs and commands like requested in #588. So, overall, invokingsigntoolwith/tonly makes the use of this project difficult with no practical value.