Authenticode Dual Code Signing Instructions

In some instances, you may need to sign an application with two different signatures (hashing algorithms). For example, you may want to build an application that runs on Windows 7 and Windows 8. Windows 8 supports SHA256 Code Signing Certificates (SHA-2 hashing algorithm); whereas, Windows 7 may only support SHA-1 Code Signing Certificates (SHA-1 hashing algorithm). See Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.

In this situation, you can first sign the application with a primary signature using a SHA256 Code Signing Certificate. Then you can append a secondary signature using a SHA1 Code Signing Certificate.

For EV Code Signing Certificate, dual signing instructions, see Dual Signing with SHA256 and SHA1 EV Code Signing Certificates.

Dual Signing Process for Code Signing Certificates

The dual code signing process with SHA256 and SHA1 signatures consists of four main steps. You may need to complete all four or just one or two.

  1. Getting Your SHA256 and SHA1 Code Signing Certificates

  2. Verifying Your SHA1 and SHA256 Code Signing Certificates

  3. Building the Signing Commands and Signing Your Files

  4. Verifying the Digital Signatures

 

Getting Your SHA256 and SHA1 Code Signing Certificates

These instructions assume that you have already purchased your Code Signing Certificate and have installed it on your device.

By default, DigiCert Code Signing Certificates are SHA256. If you are a DigiCert customer, getting a SHA1 version of your Code Signing Certificate is fairly easy. You just need to re-key your certificate from in your online account.

Sun Java Platform Only
Create your Certificate Signing Request (CSR) before following the steps in this section. Sun Java is the only platform you're required to submit a CSR for.

How to Get a SHA1 Version of Your Code Signing Certificate (Re-key)

  1. In your CertCentral account, in the left main menu, go to Certificate > Orders.

  2. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

  3. On the certificate's Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

  4. Add Your CSR

    On the Reissue Certificate for Order page, in the Add Your CSR box, upload your CSR.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the  -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in the Add Your CSR box.

    The Sun Java Platform is the only platform that requires you to submit a CSR with your request; for all other platforms, submitting a CSR is optional.

  5. Signature Hash

    In the dropdown, select a signature hash for the certificate: SHA-256 or SHA-1.

  6. Server Platform

    Select the platform you want to use your reissued certificate with.

  7. Reason for Reissue

    Specify the reason for the certificate reissue

  8. Click Request Reissue.

  9. If an approval for CS certificate reissue is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

  10. We will send a copy of the reissued CS certificate via email.

    The subject line of the email is Reissue Your DigiCert Code Signing Certificate (Order #). The email contains a link that lets you reissue and install your Code Signing Certificate. See Install a Code Signing certificate.

    You can also download a copy of the reissued certificate from your CertCentral account on the CS certificate's Order details page.

 

Verifying Your SHA1 and SHA256 Code Signing Certificates

Once you've installed both versions of the Code Signing Certificate on your device, determine which certificate is the SHA256 and which is the SHA1. We recommend using our DigiCert® Certificate Utility for Windows to make the verification process easier.

How to Verify the SHA1 and SHA2 Versions of Your Code Signing Certificates

  1. On your Windows workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Run the DigiCert Certificate Utility.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), select the Code Signing Certificate whose signature hash you want to verify, and then, click View Certificate.

  4. In the Certificate window, select the Details tab and search for the Signature hash algorithm to identify if the certificate is using a sha256 or sha1 signature hash.

  5. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), right-click on the Code Signing Certificate whose signature hash you just checked, and then click Edit friendly name.

    Good friendly names can help you easily identify each version of the Code Signing Certificate at a glance.

  6. In the Friendly Name box, enter a unique friendly name for that certificate to help you distinguish it from the other version of the Code Signing Certificate (e.g., yourCompany-SHA256 or yourCompany-SHA1).

  7. When you are finished, click Save.

  8. Repeat steps 3 through 7 to identify the second version of your Code Signing Certificate.

 

Building the Signing Commands and Signing Your Files

Once both Code Signing Certificates have been identified (SHA256 and SHA1 versions), build the command that you will use to sign your files with both signature hashes (SHA256 and SHA1).

Make sure to use the latest version of SignTool (6.3 or later) to avoid errors. To get SignTool version 10.0, install Windows 10 SDK onto your computer.

How to Get Your Code Signing Certificates' Thumbprints

First, get the thumbprint from each version of your Code Signing Certificate (SHA256 and SHA1).

  1. Open up a text editor (e.g., Notepad).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), and right-click on your SHA256 Code Signing Certificate, and then, click Copy thumbprint to clipboard.

  4. After you receive the message that the thumbprint has been copied to the clipboard, paste the thumbprint for your SHA256 Code Signing Certificate in the text editor.

  5. Repeat the above steps 2 through 4 to get the thumbprint for the SHA1 Code Signing Certificate.

    Important: Make sure to note which thumbprint is the SHA256 and which one is the SHA1.

How to Build the Signing Commands and Sign Your Files

For all SignTool command line options, refer to the Microsoft SignTool documentation. When using the SHA2 timestamp or /fd sha256, make sure to use the latest versions of SignTool (6.3 or later).

In step 2 below, replace XXSHA1CERTTHUMBPRINTXX with the thumbprint from the SHA1 version of your Code Signing Certificate that is in your text editor. Then, replace XXSHA256CERTTHUMBPRINTXX with the thumbprint from the SHA2 version of your Code Signing Certificate that is in your text editor.

  1. Open the Command Prompt as an admin.

    1. On the Windows Start screen/menu, type cmd.

    2. Right-click on Command Prompt and then click Run as administrator.

  2. In the Command Prompt, run the following commands to apply the SHA1 signature and append the SHA256 signature:

    • signtool sign /t http://timestamp.digicert.com /sha1 XXSHA1CERTTHUMBPRINTXX yourfile.exe

    • signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 XXSHA256CERTTHUMBPRINTXX yourfile.exe

 

How to Verify the Digital Signatures

  1. Right-click on the application and then click Properties.

  2. Select the Digital Signatures tab to view the signing certificates and timestamps.

Get code signing certificates for just $474/year

Buy Now