Code Signing Best Practices
Download this Code Signing Best Practices guide to improve your software and supply chain security.
Sometimes a situation occurs where you must sign an application using two different signatures (hashing algorithms.) For example, if you build an application that runs on both Windows 8 & earlier version like Windows Vista where Windows 8 supports SHA-256, and Windows Vista supports only the SHA-1 hashing algorithm.
To overcome this type of situation you need to first sign an application with SHA-256 Code Signing Certificate and then affix a second signature from SHA-1 code signing certificate. The main reason behind dual signing is to offer support using a single file on previous platforms such as Windows Vista that does not give full support for SHA256 signatures.
To dual sign and include a SHA-1 file on legacy platforms such as Windows Vista use the following commands:
signtool.exe sign /f ExampleCert.pfx /p /t https://timestamp.ca-name.com /v example1.exe
signtool.exe sign /f ExampleCert.pfx /p /fd sha256 /tr https://timestamp.ca-name.com/?td=sha256 /td sha256 /as /v example1.exe
For offering full SHA1 signature support two different certificates must be used, here are the commands:
signtool.exe sign /f ExampleSHA1Cert.pfx /p /t https://timestamp.ca-name.com /v example1.exe
signtool.exe sign /f ExampleSHA256Cert.pfx /p /fd sha256 /tr https://timestamp.ca-name.com/?td=sha256 /td sha256 /as /v example1.exe
Lastly, if you want to support previous Windows platforms such as Windows XP SP2 or earlier, then you have to dual-sign EXEs, DLLs, and other files as well and it will also require a SHA1 based certificate.
signtool.exe sign /f ExampleCert.pfx /t /v example1.exe
signtool.exe sign /f ExampleCert.pfx /fd sha256 /tr /td sha256 /as /v example1.exe
Once the signing is done, it’s best if you verify it. For that follow these steps: