timestamp codesign issue

Hello,

in order to sign our app we run codesign tool as follows:

/usr/bin/codesign --deep --timestamp -o runtime --force --keychain /fw_home/Library/Keychains/CPCERT.keychain --sign 'Developer ID Application: Check Point Software Technologies (TZ3UEPFYKD)' CMpub/lib/macosx/release/libimpers_kerb.dylib

The command often fails with the following result:

"A timestamp was expected but was not found."

The issue is intermittent and seems like depend on the location and time of the day. Thus in Tel-Aviv location the command tends to succeed at night hours but fails during the day.

We took packet capture log on our firewall. When signing fails we see that codesign sends HTTP POST request to timestamp.apple.com and the server acknowledges receive of the packet. The server does not send back any data during 15 seconds and client side sends FIN packet to shutdown the connection. In case of successful signing we see that HTTP 200 code is received almost immediately. So, it seems that 15s is not enough for timestamp server to process the request. Can we increase 15s timeout anyhow or could you assist us in anyway to have this issue solved?

Below is the packet capture logs for successful and failed flow:

Successfull Packet ############# 16:19:45.077840 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 80: 192.168.120.108.49403 > 17.179.249.1.80: Flags [SEW], seq 1726631757, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914329200 ecr 0,sackOK,eol], length 0 16:19:45.080628 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 80: 17.179.249.1.80 > 192.168.120.108.49403: Flags [S.], seq 1040463283, ack 1726631758, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 4058768711 ecr 914329200], length 0 16:19:45.080919 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49403 > 17.179.249.1.80: Flags [.], ack 1, win 2058, options [nop,nop,TS val 914329204 ecr 4058768711], length 0 16:19:45.081814 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 68: 17.179.249.1.80 > 192.168.120.108.49403: Flags [.], ack 1, win 32768, options [nop,nop,TS val 4058768711 ecr 914329204], length 0 16:19:45.082525 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 356: 192.168.120.108.49403 > 17.179.249.1.80: Flags [P.], seq 1:289, ack 1, win 2058, options [nop,nop,TS val 914329204 ecr 4058768711], length 288: HTTP: POST /ts01 HTTP/1.1 16:19:45.082535 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 145: 192.168.120.108.49403 > 17.179.249.1.80: Flags [P.], seq 289:366, ack 1, win 2058, options [nop,nop,TS val 914329204 ecr 4058768711], length 77: HTTP 16:19:45.082724 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 68: 17.179.249.1.80 > 192.168.120.108.49403: Flags [.], ack 366, win 32722, options [nop,nop,TS val 4058768711 ecr 914329204], length 0 16:19:45.931727 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 350: 17.179.249.1.80 > 192.168.120.108.49403: Flags [.], seq 1:283, ack 366, win 32768, options [nop,nop,TS val 4058768714 ecr 914329204], length 282: HTTP: HTTP/1.1 200 OK 16:19:45.931744 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 1234: 17.179.249.1.80 > 192.168.120.108.49403: Flags [P.], seq 283:1449, ack 366, win 32768, options [nop,nop,TS val 4058768714 ecr 914329204], length 1166: HTTP 16:19:45.931893 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 1516: 17.179.249.1.80 > 192.168.120.108.49403: Flags [P.], seq 1449:2897, ack 366, win 32768, options [nop,nop,TS val 4058768714 ecr 914329204], length 1448: HTTP 16:19:45.932648 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49403 > 17.179.249.1.80: Flags [.], ack 1449, win 2036, options [nop,nop,TS val 914329965 ecr 4058768714], length 0 16:19:45.932661 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49403 > 17.179.249.1.80: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 914329965 ecr 4058768714], length 0 16:19:45.932721 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 1516: 17.179.249.1.80 > 192.168.120.108.49403: Flags [P.], seq 2897:4345, ack 366, win 32768, options [nop,nop,TS val 4058768714 ecr 914329965], length 1448: HTTP 16:19:45.932731 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 317: 17.179.249.1.80 > 192.168.120.108.49403: Flags [P.], seq 4345:4594, ack 366, win 32768, options [nop,nop,TS val 4058768714 ecr 914329965], length 249: HTTP 16:19:45.933174 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49403 > 17.179.249.1.80: Flags [.], ack 4345, win 2025, options [nop,nop,TS val 914329965 ecr 4058768714], length 0 16:19:45.933181 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49403 > 17.179.249.1.80: Flags [.], ack 4594, win 2021, options [nop,nop,TS val 914329965 ecr 4058768714], length 0

Failure Packet: ############# 16:21:05.194698 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 356: 192.168.120.108.49404 > 17.179.249.1.80: Flags [P.], seq 365:653, ack 4594, win 2048, options [nop,nop,TS val 914396490 ecr 2282066484], length 288: HTTP: POST /ts01 HTTP/1.1 16:21:05.194706 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 144: 192.168.120.108.49404 > 17.179.249.1.80: Flags [P.], seq 653:729, ack 4594, win 2048, options [nop,nop,TS val 914396490 ecr 2282066484], length 76: HTTP 16:21:05.195849 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 68: 17.179.249.1.80 > 192.168.120.108.49404: Flags [.], ack 729, win 32758, options [nop,nop,TS val 2282066521 ecr 914396490], length 0 16:21:21.169780 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49404 > 17.179.249.1.80: Flags [F.], seq 729, ack 4594, win 2048, options [nop,nop,TS val 914409551 ecr 2282066521], length 0 16:21:21.176440 Out 00:1c:7f:6c:d3:7f ethertype IPv4 (0x0800), length 68: 17.179.249.1.80 > 192.168.120.108.49404: Flags [F.], seq 4594, ack 730, win 32758, options [nop,nop,TS val 2282066585 ecr 914409551], length 0 16:21:21.177782 In 00:1c:7f:6f:53:4b ethertype IPv4 (0x0800), length 68: 192.168.120.108.49404 > 17.179.249.1.80: Flags [.], ack 4595, win 2048, options [nop,nop,TS val 914409559 ecr 2282066585], length 0

Up vote post of andreida Down vote post of andreida
1.3k views
Posted by
andreida
Reply
Add a Comment

Replies

There are two common causes of this problem:

  • The timestamp service is having a bad day.

  • Something about your local network environment is blocking this connection.

Teasing these apart can be tricky. The first step is to check for a known problem on:

While there’s no specific entry for the timestamp service, if you’re seeing widespread problems with Apple services then I think it’s reasonable to assume that this is our problem.

If not, my general advice is that you retry your tests in a different network environment. If, for example, you’re in the office, try from your home network, or vice versa. Or perhaps use Personal Hotspot to try it from a carrier network.

If you see the same problem in multiple network environments, that’s likely to be a problem with the timestamp service. In that case I recommend that you file a bug against that service, making sure to include your packet traces.

Do this even if the problem goes away. If it was a known outage then the timestamp service folks will just close your bug. If not, the packet traces might help them investigate an intermittent problem.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment