This article provide instructions on how to sign Microsoft Windows software using a single Microsoft Authenticode certificate with dual / two signature algorithm (SHA1 & SHA256). This is efficient for situations that you may want to sign a software or application file with two different signatures. For example, suppose you want your software to run on Windows 7 and Windows 8. Windows 7 supports signatures with SHA256 hashing algorithm but requires updates from Microsoft (see Microsoft Security Advisory 2949927), and Windows 8 supports signatures created with the SHA256 hashing algorithm. In this case, you can sign your software with a primary signature that uses SHA1 then append a secondary signature that uses SHA256 code signing certificate for both signatures.
Signing Tools and System Requirement
- Windows 8.1, Windows 8, Window 7, Windows Server 2012, Windows Server 2008 R2
- SHA1 certificate
- SHA2 certificate
Note: To do dual code signing, you will need two certificates (both SHA1 and SHA2). Sign SHA1 algorithm with SHA1 certificate and sign SHA2 algorithm with SHA2 certificate. You can not use one certificate to sign both algorithm. If you only have SHA1 or SHA2 certificate, please follow below link to do a replacement and request a new certificate for another algorithm.
This example uses several of the arguments that SignTool supports:
Sign: Configures the tool to sign the intended file
Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
/a: Selects the best signing certificate automatically. If this option is not present, SignTool expects to find only one valid signing certificate.
/as: Appends this signature. If no primary signature is present, this signature is made the primary signature.
/f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
/fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
/n: Specifies the Common Name of a certificate. Use this option if you have certificates issued to more then one organization in your certificate store.
/p: If the file is in PFX format protected by a password, use the /p option to specify the password
/s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
/t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
/td: Used with the /tr switch to request a digest algorithm used by the RFC 3161 time stamp server.
Note: The /td switch must be declared after the /tr switch, not before. If the /td switch is declared before the /tr switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm.
- /tr: Specifies the URL of the RFC 3161 time stamp server. This option cannot be used with the /t option.
- /v: Specifies the verbose option for successful execution and warning messages.
Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.
Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
(The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp
The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
Step 1: Sign the Primary Signature with SHA1 Algorithm
The following syntax signs the file using SHA1 certificate stored in your Personal certificate store
With SHA-1 TimeStamp:
Step 2: Append the Secondary Signature with SHA256 Algorithm by using SHA2 certificate
Once the application file been signed with SHA1 algorithm in Step 1 , follow the steps below to append the secondary signature with SHA256 algorithm to the same application file.
The following syntax signs the file using SHA2 certificate stored in your Personal certificate store
With SHA-256 RFC 3161 TimeStamp:
Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/a /s MY /n "Common name" in the command.
Step 3: Verify the Signature
Browse to the signed application file under your windows 8 machine
- Right click on the signed application file
- click on Properties
- Click on Digital Signatures tab
You should see both SHA1 and SHA256 signature algorithm listed in this tab if the signing process is successful.
For additional information, refer to the following article from the Microsoft knowledge base: