Ask a Question

Advanced Search

Alert ID : INFO3266

Last Modified : 05/03/2018

Microsoft Authenticode - Dual Code Signing Instructions with SHA1 & SHA256 Hashing Algorithm


This article provide instructions on how to sign Microsoft Windows software using a single Microsoft Authenticode certificate with dual / two signature algorithm (SHA1 & SHA256). This is efficient for situations that you may want to sign a software or application file with two different signatures. For example, suppose you want your software to run on Windows 7 and Windows 8. Windows 7 supports signatures with SHA256 hashing algorithm but requires updates from Microsoft (see Microsoft Security Advisory 2949927), and Windows 8 supports signatures created with the SHA256 hashing algorithm. In this case, you can sign your software with a primary signature that uses SHA1 then append a secondary signature that uses SHA256 code signing certificate for both signatures.

Signing Tools and System Requirement

Operating System

  • Windows 8.1, Windows 8, Window 7, Windows Server 2012, Windows Server 2008 R2

Signing Tool:

Signing Instructions:

This example uses several of the arguments that SignTool supports. For a complete list of signing options, please click here for documentation.

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing certificate.
  • /as: Appends this signature. If no primary signature is present, this signature is made the primary signature.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /td: Used with the /tr switch to request a digest algorithm used by the RFC 3161 time stamp server.
    Note: The /td switch must be declared after the /tr switch, not before. If the /td switch is declared before the /tr switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm.
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.

Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is

The SHA-256 with RFC 3161 timestamping URL is

Step 1:  Sign the Primary Signature with SHA1 Algorithm 

The following syntax signs the file using a certificate stored in your Personal certificate store

With SHA-1 TimeStamp:

signtool.exe sign /a /s MY /n "Common name" /fd sha1 /t /v "<file to be signed>"


Step 2:  Append the Secondary Signature with SHA256 Algorithm

Once the application file been signed with SHA1  algorithm  in Step 1 , follow the steps below to append the secondary signature with SHA256 algorithm to the same application file.

The following syntax signs the file using a certificate stored in your Personal certificate store

With SHA-256 RFC 3161 TimeStamp:

signtool.exe sign /a /s MY /n "Common name" /fd sha256 /tr /td sha256 /as /v "<file to be signed>"

Note: If you are signing the file by use a certificate stored in a password protected PFX file, simply use the arguments   "/f YourCertFileName.pfx /p pfxpassword"   instead of  "/a /s MY /n "Common namein the command.


 Step 3: Verify the Signature

 Browse to the signed application file under your Windows 8 machine

  1. Right click on  the signed application file
  2. click on  Properties
  3. Click on Digital Signatures tab


 You should see both SHA1 and SHA256 signature algorithm listed in this tab if the signing process is successful.

 For additional information, refer to the following article  from the Microsoft knowledge base: