Microsoft Authenticode - Dual Code Signing Instructions with SHA1 & SHA256 hashing Algorithm

General Information ID:    INFO2274    Updated:    02/08/2017

Description

This article provide instructions on how to sign Microsoft Windows software using a single Microsoft Authenticode certificate with dual / two signature algorithm (SHA1 & SHA256). This is efficient for situations that you may want to sign a software or application file with two different signatures. For example, suppose you want your software to run on Windows 7 and Windows 8. Windows 7 supports signatures with SHA256 hashing algorithm but requires updates from Microsoft (see Microsoft Security Advisory 2949927), and Windows 8 supports signatures created with the SHA256 hashing algorithm. In this case, you can sign your software with a primary signature that uses SHA1 then append a secondary signature that uses SHA256 code signing certificate for both signatures.


Signing Tools and System Requirement

Operating System

  • Windows 8.1, Windows 8, Window 7, Windows Server 2012, Windows Server 2008 R2
     

Signing Tool:

Certificate required:

  • SHA1 certificate
  • SHA2 certificate

        Note: To do dual code signing, you will need two certificates (both SHA1 and SHA2). Sign SHA1 algorithm with SHA1 certificate and sign SHA2 algorithm with SHA2 certificate. You can not use one certificate to sign both algorithm. If you only have SHA1 or SHA2 certificate, please follow below link to do a replacement and request a new certificate for another algorithm.

Request certificate for another algorithm

 

Signing Instructions:

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Selects the best signing certificate automatically. If this option is not present, SignTool expects to find only one valid signing certificate.
  • /as: Appends this signature. If no primary signature is present, this signature is made the primary signature.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /td: Used with the /tr switch to request a digest algorithm used by the RFC 3161 time stamp server.
    Note: The /td switch must be declared after the /tr switch, not before. If the /td switch is declared before the /tr switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm.
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.

Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp


Step 1:  Sign the Primary Signature with SHA1 Algorithm 

The following syntax signs the file using SHA1 certificate stored in your Personal certificate store

With SHA-1 TimeStamp:

signtool.exe sign /a /s MY /n Common name /fd sha1 /t http://timestamp.verisign.com/scripts/timstamp.dll /v file to be signed

Step 2:  Append the Secondary Signature with SHA256 Algorithm by using SHA2 certificate

Once the application file been signed with SHA1  algorithm  in Step 1 , follow the steps below to append the secondary signature with SHA256 algorithm to the same application file.

The following syntax signs the file using SHA2 certificate stored in your Personal certificate store

With SHA-256 RFC 3161 TimeStamp:

signtool.exe sign /a /s MY /n "Common name" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td sha256 /as /v "<file to be signed>"

Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments   "/f YourCertFileName.pfx /p pfxpassword"   instead of  "/a /s MY /n "Common namein the command.

 

 Step 3: Verify the Signature

 Browse to the signed application file under your windows 8 machine

  1. Right click on  the signed application file
  2. click on  Properties
  3. Click on Digital Signatures tab

 You should see both SHA1 and SHA256 signature algorithm listed in this tab if the signing process is successful.

 For additional information, refer to the following article  from the Microsoft knowledge base:

https://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx

 

Contact Support

Find Answers

Languages