sign RDP file with timestamp

Currently, Microsoft does not provide an official method to timestamp `.rdp` file signatures.

`rdpsign.exe` only supports embedded signing of RDP files and unfortunately does not support RFC3161 timestamping or Authenticode timestamps. This means the signature validity is tied directly to the certificate validity period.

A few important points:

* `signtool.exe` cannot sign `.rdp` files because they are not PE/Authenticode-supported formats.

* `Set-AuthenticodeSignature` works only with standard Authenticode-capable file formats and often has issues with HSM-backed CSP/KSP providers depending on vendor implementation.

* `rdpsign.exe` uses the Remote Desktop signing mechanism, which is separate from standard Authenticode signing.

Because of this, timestamping RDP signatures is currently not supported by Microsoft tooling.

The practical/recommended approaches today are usually:

1. Use a long-validity code-signing certificate dedicated for RDP signing.

2. Renew/re-sign generated `.rdp` files before certificate expiration.

3. Automate RDP file regeneration and signing during certificate rollover.

4. Distribute the signing certificate chain properly to avoid additional trust warnings.

If using an HSM:

* Ensure the certificate is exposed through a legacy CSP or supported KSP provider.

* Some HSM vendors expose keys in a way that `rdpsign.exe` cannot consume correctly.

You can verify whether the private key is accessible with:

certutil -store my

and:

certutil -csp

Also check whether the certificate appears as:

“You have a private key that corresponds to this certificate”

inside `certlm.msc`.

Unfortunately, there is currently no supported Microsoft-native workflow for:

* RDP signing

* HSM-backed key usage

* AND RFC3161 timestamping together