General Information ID : INFO2274
This article provide instructions on how to sign Microsoft Windows software using a single Microsoft Authenticode certificate with dual / two signature algorithm (SHA1 & SHA256). This is efficient for situations that you may want to sign a software or application file with two different signatures. For example, suppose you want your software to run on Windows 7 and Windows 8. Windows 7 supports signatures with SHA256 hashing algorithm but requires updates from Microsoft (see Microsoft Security Advisory 2949927), and Windows 8 supports signatures created with the SHA256 hashing algorithm. In this case, you can sign your software with a primary signature that uses SHA1 then append a secondary signature that uses SHA256 code signing certificate for both signatures.
Signing Tools and System Requirement
Note: To do dual code signing, you will need two certificates (both SHA1 and SHA2). Sign SHA1 algorithm with SHA1 certificate and sign SHA2 algorithm with SHA2 certificate. You can not use one certificate to sign both algorithm. If you only have SHA1 or SHA2 certificate, please follow below link to do a replacement and request a new certificate for another algorithm.
This example uses several of the arguments that SignTool supports:
Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.
Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
(The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp
The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
Step 1: Sign the Primary Signature with SHA1 Algorithm
The following syntax signs the file using SHA1 certificate stored in your Personal certificate store
With SHA-1 TimeStamp:
Step 2: Append the Secondary Signature with SHA256 Algorithm by using SHA2 certificate
Once the application file been signed with SHA1 algorithm in Step 1 , follow the steps below to append the secondary signature with SHA256 algorithm to the same application file.
The following syntax signs the file using SHA2 certificate stored in your Personal certificate store
With SHA-256 RFC 3161 TimeStamp:
Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/a /s MY /n "Common name" in the command.
Step 3: Verify the Signature
Browse to the signed application file under your windows 8 machine
You should see both SHA1 and SHA256 signature algorithm listed in this tab if the signing process is successful.
For additional information, refer to the following article from the Microsoft knowledge base: