Timestamp command

The timestamp command allows you to timestamp one or more previously-signed files using a timestamp server. It supports fallback timestamp servers and can timestamp multiple files efficiently with wildcard support.

Supported file types: Authenticode (.exe, .dll, .msi, .cat, etc.), CMS (.mobileconfig, .mobileprovision, .provisionprofile), NuGet (.nupkg), VSIX (.vsix), and RDP (.rdp). ClickOnce/VSTO manifests cannot be timestamped after signing; their timestamps must be added during signing.

Files that are not yet signed are skipped with an informational message.

Usage

SignotaurTool.exe timestamp [options] <files>

Files Parameter

  • A list of file paths to timestamp. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.
    • !: Identifies an exclude pattern. This must be at the start of the pattern. It must be used in conjunction with a normal include pattern. For instance, the two patterns *.dll and !*.Test.dll will match all .dll files found in the current directory excluded all test dlls, that is file1.dll, file2.dll, but not file1.Test.dll.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.
    • !*.pdb: Matches all debug files in the specified directory from the current match.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • If you need to timestamp a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

Options

  • --tr, --timestamp-server <TimeStampServer>

    Required. Specifies the URL of the RFC 3161 timestamp server.

  • --td, --timestamp-digest <DigestAlgorithm>

    Required. Specifies the digest algorithm used by the RFC 3161 timestamp server. Supported algorithms include: SHA256, SHA384, and SHA512.

  • --fb, --fallback-timestamp-servers <ServerList>

    Specifies a comma-separated list of fallback timestamp servers to use if the primary server is unavailable. This provides reliability in the event of a primary server failure. Provide multiple servers by repeating this option. The servers are tried sequentially, stopping at the first successful response.

  • -m, --max-degree-of-parallelism <MDOP>

    Specifies the maximum number of concurrent file timestamping operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine.

  • --fl, --file-list <FileName>

    Specifies the path to a file containing a list of file paths to timestamp. This is helpful for handling multiple files at once without specifying each one in the command line. Each line in the file should contain one file path.

  • -b, --base-directory <Directory>

    Sets the base directory for resolving relative file paths.

  • --cf, --continue-on-fail

    Continues timestamping subsequent files even if an error occurs while timestamping a file. This option is useful for batch timestamping scenarios.

  • --encoding <Encoding>

    Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.

  • --theme <Theme>

    Specifies the console colour theme. Options are: General (default, suitable for most consoles), Dark (optimized for dark backgrounds), Light (optimized for light backgrounds), or None (disables colours). The default is General.

  • --nc, --no-colour, --no-color

    Disables coloured output entirely. This is useful for CI/CD environments, log files, or systems that don't support ANSI colour codes. Alternatively, you can set the NO_COLOR environment variable to any non-empty value to achieve the same effect (following the no-color.org standard).

  • `--nb

    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • -v, --verbose

    Enables verbose logging for the timestamping operation, providing detailed output of the process, which can be useful for debugging.

  • --help

    Displays help information and usage instructions for this command.

Examples

  1. Timestamp multiple files:

    SignotaurTool.exe timestamp -t <Thumbprint> --tr <TimeStampServer> --td SHA256 file1.exe file2.dll

  2. Timestamp files with a primary and fallback timestamp servers:

    SignotaurTool.exe timestamp --tr <TimeStampServer> --td SHA256 --fb <FallbackServer1> --fb <FallbackServer2> file1.exe file2.dll

  3. Timestamp a previously signed RDP file:

    SignotaurTool.exe timestamp --tr <TimeStampServer> --td SHA256 connection.rdp

Supported File Types

The timestamp command can add or refresh an RFC 3161 timestamp on files that are already signed. It auto-detects the signature format and timestamps accordingly:

Authenticode

.appx, .appxbundle, .cab, .cat, .cdxml, .dll, .eappx, .eappxbundle, .emsix, .emsixbundle, .exe, .msi, .msix, .msixbundle, .msm, .msp, .mst, .ocx, .ps1, .ps1xml, .psd1, .psm1, .stl, .sys, .vbs, .vxd, .winmd. Additional PE file types may also be timestamped automatically.

CMS/PKCS#7

.mobileconfig, .mobileprovision, .provisionprofile.

NuGet Packages

.nupkg — adds an RFC 3161 timestamp to the existing author signature inside the package.

VSIX (Visual Studio Extensions)

.vsix — adds an RFC 3161 timestamp to the existing OPC XML signature inside the package.

RDP Files

.rdp — adds an RFC 3161 timestamp to the detached CMS signature embedded in the file's signature:s: line. The 12-byte Microsoft header is stripped, the CMS is timestamped, and the header is re-applied before the file is rewritten atomically.

The timestamp is correctly embedded in the CMS (and is honoured by Signotaur's own verify command and by general-purpose CMS inspection tools), but Microsoft Remote Desktop Connection itself does not consult it — once the signing certificate expires, the file reverts to an untrusted state regardless. See Timestamping and certificate expiry for details and the recommended approach to managing certificate renewal.

See RDP file signing for the broader signing workflow.

Files that are not yet signed are skipped with an error.

Exit Codes

The following exit codes indicate the result of the operation performed by SignotaurTool.exe timestamp. The most common failure is 47 TimeStampError. Codes 16–58 reach the timestamp command via the Windows SignerTimeStampEx3 API for Authenticode files (.exe, .dll, .msi, etc.) and via the managed timestamper for CMS, NuGet, VSIX, and RDP files; any HRESULT the Windows API can return is mappable here.

  • 0 (Success): All files were timestamped successfully.
  • 1 (NotFound): One or more specified files were not found (ERROR_FILE_NOT_FOUND).
  • 2 (Aborted): The operation was aborted (E_ABORT).
  • 3 (AccessDenied): A file could not be opened for writing because of insufficient permissions (E_ACCESSDENIED).
  • 4 (Failure): General failure — for example, an unsupported file type for timestamping, an unhandled exception in the managed timestamper, or another unspecified error (E_FAIL).
  • 5 (InvalidHandle): An invalid handle was used by the underlying cryptographic API (E_HANDLE).
  • 6 (InvalidArgument): A required argument is missing (--timestamp-server is required, at least one input file must be supplied), or an argument is malformed (E_INVALIDARG).
  • 7 (NoInterface): A required cryptographic interface is not supported (E_NOINTERFACE).
  • 8 (NotImplemented): A required feature is not implemented by the underlying cryptographic provider (E_NOTIMPL).
  • 9 (OutOfMemory): The system could not allocate memory for timestamping (E_OUTOFMEMORY).
  • 10 (InvalidPointer): An invalid memory pointer was used by the underlying cryptographic API (E_POINTER).
  • 11 (UnexpectedFailure): A catastrophic failure occurred in the underlying cryptographic provider (E_UNEXPECTED).
  • 12 (AdditionalCertNotFound): A certificate referenced by the existing signature could not be located (CRYPT_E_NOT_FOUND).
  • 13 (FileListError): An error occurred while processing a --file-list file.
  • 14 (SharingViolation): An input file is locked by another process (ERROR_SHARING_VIOLATION).
  • 15 (UnknownResult): The cryptographic API returned an HRESULT that the client does not recognise.
  • 16 (NoSignature): The file is not signed and therefore cannot be timestamped (TRUST_E_NOSIGNATURE).
  • 17 (ExplicitDistrust): The existing signature is explicitly distrusted (TRUST_E_EXPLICIT_DISTRUST).
  • 18 (SubjectNotTrusted): The signing subject is not trusted (TRUST_E_SUBJECT_NOT_TRUSTED).
  • 19 (InvalidPolicy): The TSA or signing certificate policy is invalid (CERT_E_INVALID_POLICY).
  • 20 (UntrustedRoot): The TSA certificate chain terminates in an untrusted root (CERT_E_UNTRUSTEDROOT).
  • 21 (CertificateExpired): A certificate involved in timestamping has expired (CERT_E_EXPIRED).
  • 22 (Malformed): A signature being timestamped is malformed — for example, the RDP signature header is not the expected 12-byte Microsoft format, or a VSIX SignatureValue is missing (CERT_E_MALFORMED).
  • 23 (CertificateRevoked): A certificate involved in timestamping has been revoked (CERT_E_REVOKED).
  • 24 (FileError): A file error occurred while reading or writing the input file (CRYPT_E_FILE_ERROR).
  • 25 (ProviderUnknown): Unknown trust provider (TRUST_E_PROVIDER_UNKNOWN).
  • 26 (SubjectFormUnknown): Unknown trust subject form (TRUST_E_SUBJECT_FORM_UNKNOWN).
  • 27 (ActionUnknown): Unknown trust action (TRUST_E_ACTION_UNKNOWN).
  • 28 (TrustFailure): Generic trust verification failed (TRUST_E_FAIL).
  • 29 (CertificateIssuerChaining): A parent certificate is not correctly issued by a higher authority (CERT_E_ISSUERCHAINING).
  • 30 (CertificateValidityPeriodNesting): Validity periods in the chain do not nest correctly (CERT_E_VALIDITYPERIODNESTING).
  • 31 (CertificateRole): A certificate is being used in an invalid role (CERT_E_ROLE).
  • 32 (CertificatePathLenConst): A path-length constraint in the chain has been exceeded (CERT_E_PATHLENCONST).
  • 33 (CertificateCritical): A certificate has an unrecognised critical extension (CERT_E_CRITICAL).
  • 34 (CertificatePurpose): The certificate is being used for an invalid purpose (CERT_E_PURPOSE).
  • 35 (CertificateUntrustedTestRoot): The chain terminates in an untrusted test root (CERT_E_UNTRUSTEDTESTROOT).
  • 36 (CertificateRevocationFailure): The revocation check could not continue (CERT_E_REVOCATION_FAILURE).
  • 37 (CertificateCNNoMatch): The certificate's common name does not match (CERT_E_CN_NO_MATCH).
  • 38 (CertificateWrongUsage): The certificate is not valid for the requested usage (CERT_E_WRONG_USAGE).
  • 39 (CertificateUntrustedCA): The issuing certificate authority is not trusted (CERT_E_UNTRUSTEDCA).
  • 40 (CertificateInvalidName): The certificate name is invalid (CERT_E_INVALID_NAME).
  • 41 (CertificateChaining): A certificate chain could not be built to a trusted root authority (CERT_E_CHAINING).
  • 42 (SecuritySettings): The cryptographic operation was blocked by security policy or settings (CRYPT_E_SECURITY_SETTINGS).
  • 44 (TrustSystemError): A system-level trust error occurred (TRUST_E_SYSTEM_ERROR).
  • 45 (TrustNoSignerCert): No signer certificate was found (TRUST_E_NO_SIGNER_CERT).
  • 46 (CannotInstallProvider): The certificate's signature could not be verified (TRUST_E_PROVIDER_UNKNOWN_ACTION).
  • 47 (TimeStampError): The timestamp server (TSA) returned an error, was unreachable, or its certificate is invalid (TRUST_E_TIME_STAMP). This is the most common timestamping failure.
  • 48 (BadDigest): A digital signature digest did not verify (TRUST_E_BAD_DIGEST).
  • 49 (InvalidBasicConstraints): A certificate's basic-constraints extension is invalid or missing (TRUST_E_BASIC_CONSTRAINTS).
  • 50 (CounterSignerError): The countersignature/timestamp signature could not be verified (TRUST_E_COUNTER_SIGNER).
  • 51 (NoRevocationCheck): The revocation function was unable to check revocation for the TSA certificate (CRYPT_E_NO_REVOCATION_CHECK).
  • 52 (RevocationOffline): The revocation server was offline while validating the TSA certificate (CRYPT_E_REVOCATION_OFFLINE).
  • 54 (BadFormat): The input file is not in the expected format for its detected type (ERROR_BAD_FORMAT).
  • 55 (BadAsn1Tag): The TSA response contained an invalid ASN.1 tag — often caused by a misconfigured timestamp server URL or a proxy returning HTML (CRYPT_E_ASN1_BADTAG).
  • 56 (BadEncode): The TSA response could not be decoded (CRYPT_E_BAD_ENCODE).
  • 57 (BadMessage): The TSA response is not a valid cryptographic message (CRYPT_E_BAD_MSG).
  • 58 (BadAsn1Corrupt): The TSA response contained corrupt ASN.1 data (CRYPT_E_ASN1_CORRUPT).

Typically a more specific message will be displayed before an error exit code is returned.