How does one correctly dual-sign code with a timestamp?

Question

I have two code signing certificates (one SHA-1, one SHA-256) which I\'d like to apply to the same file. I tried to append the SHA-256 certificate, but this fails:

Answer 1

SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.

The RFC 3161 URL for Symantec/Verisign is:

http://sha256timestamp.ws.symantec.com/sha256/timestamp

If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.

Source:

https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820