fix: add support for Time-Stamping Protocol for Windows codesigning (fix #3563) (#3570)

Co-authored-by: Lucas Fernandes Nogueira <lucas@tauri.studio>

.changes/bundler-add-tsp-signing.md

@@ -0,0 +1,9 @@
+---
+"tauri-bundler": patch
+"cli.rs": patch
+"cli.js": patch
+"tauri": patch
+---
+
+Added `tsp` config option under `tauri > bundle > windows`, which enables Time-Stamp Protocol (RFC 3161) for the timestamping
+server under code signing on Windows if set to `true`.

core/tauri-utils/src/config.rs

@@ -239,6 +239,9 @@ pub struct WindowsConfig {
   pub certificate_thumbprint: Option<String>,
   /// Server to use during timestamping.
   pub timestamp_url: Option<String>,
+  /// Whether to use Time-Stamp Protocol (TSP, a.k.a. RFC 3161) for the timestamp server. Your code signing provider may
+  /// use a TSP timestamp server, like e.g. SSL.com does. If so, enable TSP by setting to true.
+  pub tsp: Option<bool>,
   /// Path to the webview fixed runtime to use.
   ///
   /// The fixed version can be downloaded [on the official website](https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section).

tooling/bundler/src/bundle/settings.rs

@@ -241,6 +241,9 @@ pub struct WindowsSettings {
   pub certificate_thumbprint: Option<String>,
   /// Server to use during timestamping.
   pub timestamp_url: Option<String>,
+  /// Whether to use Time-Stamp Protocol (TSP, a.k.a. RFC 3161) for the timestamp server. Your code signing provider may
+  /// use a TSP timestamp server, like e.g. SSL.com does. If so, enable TSP by setting to true.
+  pub tsp: Option<bool>,
   /// WiX configuration.
   pub wix: Option<WixSettings>,
   /// The path to the application icon. Defaults to `./icons/icon.ico`.
@@ -255,6 +258,7 @@ impl Default for WindowsSettings {
       digest_algorithm: None,
       certificate_thumbprint: None,
       timestamp_url: None,
+      tsp: None,
       wix: None,
       icon_path: PathBuf::from("icons/icon.ico"),
       webview_fixed_runtime_path: None,

tooling/bundler/src/bundle/windows/msi/wix.rs

@@ -404,6 +404,7 @@ pub fn build_wix_app_installer(
             .timestamp_url
             .as_ref()
             .map(|url| url.to_string()),
+          tsp: settings.windows().tsp,
         },
       )?;
     }

tooling/bundler/src/bundle/windows/sign.rs

@@ -19,6 +19,7 @@ pub struct SignParams {
   pub digest_algorithm: String,
   pub certificate_thumbprint: String,
   pub timestamp_url: Option<String>,
+  pub tsp: Option<bool>,
 }
 
 // sign code forked from https://github.com/forbjok/rust-codesign
@@ -101,7 +102,12 @@ pub fn sign<P: AsRef<Path>>(path: P, params: &SignParams) -> crate::Result<()> {
   cmd.args(&["/sha1", &params.certificate_thumbprint]);
 
   if let Some(ref timestamp_url) = params.timestamp_url {
-    cmd.args(&["/t", timestamp_url]);
+    if params.tsp == Some(true) {
+      cmd.args(&["/tr", timestamp_url]);
+      cmd.args(&["/td", &params.digest_algorithm]);
+    } else {
+      cmd.args(&["/t", timestamp_url]);
+    }
   }
 
   cmd.arg(path_str);

tooling/cli/schema.json

@@ -147,6 +147,7 @@
             "certificateThumbprint": null,
             "digestAlgorithm": null,
             "timestampUrl": null,
+            "tsp": null,
             "webviewFixedRuntimePath": null,
             "wix": null
           }
@@ -563,6 +564,7 @@
             "certificateThumbprint": null,
             "digestAlgorithm": null,
             "timestampUrl": null,
+            "tsp": null,
             "webviewFixedRuntimePath": null,
             "wix": null
           },
@@ -1640,6 +1642,7 @@
               "certificateThumbprint": null,
               "digestAlgorithm": null,
               "timestampUrl": null,
+              "tsp": null,
               "webviewFixedRuntimePath": null,
               "wix": null
             }
@@ -2072,6 +2075,13 @@
             "null"
           ]
         },
+        "tsp": {
+          "description": "Whether to use Time-Stamp Protocol (TSP, a.k.a. RFC 3161) for the timestamp server. Your code signing provider may use a TSP timestamp server, like e.g. SSL.com does. If so, enable TSP by setting to true.",
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
         "webviewFixedRuntimePath": {
           "description": "Path to the webview fixed runtime to use.\n\nThe fixed version can be downloaded [on the official website](https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section). The `.cab` file must be extracted to a folder and this folder path must be defined on this field.",
           "type": [

tooling/cli/src/interface/rust.rs

@@ -479,6 +479,7 @@ fn tauri_config_to_bundle_settings(
     },
     windows: WindowsSettings {
       timestamp_url: config.windows.timestamp_url,
+      tsp: config.windows.tsp,
       digest_algorithm: config.windows.digest_algorithm,
       certificate_thumbprint: config.windows.certificate_thumbprint,
       wix: config.windows.wix.map(|w| {