signtool failing to dual sign SHA2 and SHA1 with timestamps

Question

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.

Using the Windows 8 SDK\'s signtool:

e.g.:

Answer 1

I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.

The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.

Updated 29/12/15:

The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:

signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Updated 30/12/2015

To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:

signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"