Cannot contact the chosen TSA while trying to create ZXP

Signaler · Apr 26, 2017

I'm trying to package my ZXP using Mac OS Yosemite 10.10.5.

I've always been able to successfully create the ZXP with the command:

./ZXPSignCmd -sign project-folder/ ProjectName.zxp certificate.p12 password -tsa https://timestamp.geotrust.com/tsa

However, for the last few days I've been getting this error:

Error - cannot contact the chosen TSA. Please make sure the URL is valid and that you are connected to the internet.

When I ping timestamp.geotrust.com I get timeouts. Is geotrust down, or am I doing something wrong? I've tried Googling this, and am yet to find a thread about it that came to a resolution.

Signaler · Apr 26, 2017

Also before anyone asks, yes I am connected to the internet, as evident by me being able to post this thread .

Signaler · Apr 26, 2017

Hi Dan,

I heard from other developers that the timeserver you mentioned seems to be down. You may want to consider using a self signed certificate, the downside is that it won't last as long but it would let you test it. The other option would be to consider a different TSA provider.

Hope that helps.

Signaler · Apr 26, 2017

Thanks Jonathan.

I believe I already am using a self-signed certificate (I created one using ZXPSignCmd), and that's what I've always done. I guess I can try a different tsa provider, but I thought that Adobe Exchange had issues with other providers other than geotrust (at least that what it seemed like when I tried Googling this issue). Do you know of any providers that may work?

Thanks

Signaler · Apr 26, 2017

Hi Dan,

Sorry I don't know of other providers but I would suggest you think about not using a TSA, it might make things simpler. In a perfect world I would love to get away from the need for certificates and consider something else like an API key. It's something we are looking into.

Jonathan

Signaler · Apr 26, 2017

Ok, it works without the tsa, but I thought that time-stamping was required for distributing the extension on Adobe Exchange. Is that not the case?

Signaler · Apr 26, 2017

No a TSA is not required. It's main benefit is that it should last a really ling time but that's assuming the TSA does not go down!

You can create a cert using the tool you mentioned, or the Exchange Packager app, Configurator or elsewhere.

Hope that helps.

Signaler · Apr 26, 2017

Ok thanks.

Signaler · Apr 28, 2017

Symantec has dropped support for the Legacy timestamp service as explained in the following post: https://knowledge.symantec.com/support/partner/index?page=content&id=NEWS10071&viewlocale=en_US

I changed the timestamp service to http://sha256timestamp.ws.symantec.com/sha256/timestamp

and it worked for me.

Signaler · Jun 20, 2017

Using the TSA suggested by mikig2 I get the following message:

Error - the timestamp returned from the chosen TSA could not be verified, so the ZXP created is likely to be rejected by other tools. Please recreate your ZXP with a different trusted TSA.

But using the the following URL, that I found on a page where mikig's URL was also mentioned, I got the message "signed successfully", and the extension worked on my client's computer:

http://sha1timestamp.ws.symantec.com/sha1/timestamp

SHA-1 and SHA-256 seems to be the difference, and for me the SHA-256 link did not work.

Signaler · Oct 19, 2017

i'm getting the "the timestamp returned from the chosen TSA could not be verified" on the mac.

i've tried every version of zxpsigncmd with every url for a tsa i could find.

Cannot contact the chosen TSA while trying to create ZXP

1 bonne réponse