signtool failing to dual sign SHA2 and SHA1 with timestamps

Question

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.

Using the Windows 8 SDK\'s signtool:

e.g.:

Answer 1

I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.

The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.

Updated 29/12/15:

The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:

signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Updated 30/12/2015

To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:

signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"

Answer 2

Try using

signtool.exe sign /as /fd sha256 /tr http://timestamp.geotrust.com /td sha256 /f certificate.pfx /p XXXXXX file.dll

/tr is for RFC3161 timestamping, /td obviously for the hash to use.

Answer 3

I think this link has some nice pointers. Some of it is mentioned in the answer by martin_costello, but this article provides some more details. In particular:

• 'Dual signing and include an SHA1 file digest' is possible if you sign SHA1 first, and use /as for the SHA256. It only works with signtool v6.3 from the Windows 8.1 SDK (or later) though.
• Dual signing with 'a FULL SHA1 signature', needed for windows version before XP sp3, requires 2 different certificates.

(I haven't tested all this myself though.)

Answer 4

I also get the above error, however It works with the osslsigncode utility when using the '-nest' option:

osslsigncode sign -pkcs12 cert1.pfx -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in original.exe -out intermediate.exe
osslsigncode sign -pkcs12 cert2.pfx -nest -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in intermediate.exe -out final.exe

The official project is for Unix, however I've knocked up my own windows fork.

Answer 5

I know it's a bit old, but I landed in this thread and maybe someone else will too.

It will work if you sign first with SHA1 and then with SHA256:

signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password 

It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.

Answer 6

Adding to martin_costello answer, XP and Vista do not support the RFC timestamp. You need to use the /t option for sha1 signatures.

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"