Authenticode Dual EV Code Signing Instructions

In some circumstances, you may want to sign an application with two different signatures. For example, you are building an application that you want to run on Windows 7 and Windows 8. Windows 8 supports the SHA256 EV Code Signing Certificates; however, Windows 7 may only support SHA-1 EV Code Signing Certificates (Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015).

In this situation, you can first sign the application with a primary signature using a SHA256 EV Code Signing Certificate. Then you can append a secondary signature using a SHA1 EV Code Signing Certificate.

For standard Code Signing Certificate dual signing instructions, see Dual Signing with SHA256 and SHA1 Standard Code Signing Certificates.

Dual Signing Process for EV Code Signing Certificates

The EV Code Signing Certificate dual signing with SHA256 and SHA1 process consists of four main steps. You may need to complete all four or just one or two.

  1. Getting Your SHA256 and SHA1 EV Code Signing Certificates

  2. Verifying Your SHA1 and SHA256 EV Code Signing Certificates

  3. Building the Signing Commands and Signing Your Files

  4. Verifying the Digital Signatures

 

Getting Your SHA256 and SHA1 EV Code Signing Certificates

This instruction assumes that you have already purchased your EV Code Signing Certificate and either activated your token with certificate preinstalled on it or installed it on your own device.

By default, DigiCert EV Code Signing Certificates are SHA256. If you are a DigiCert customer getting a SHA1 version of your EV Code Signing Certificate is fairly easy. Please contact our Support team to assist you with the reissue process as they are a few extra steps that need to be completed before and after you re-key your certificate.

How to Get a SHA1 Version of Your EV Code Signing Certificate (Re-key)

  1. Before you reissue/re-key your EV Code Signing Certificate, you need to contact our Support team so that they can do the following things for you:

    1. Set the algorithm to SHA1 for you.

    2. Cancel the pending revoke on the original certificate after you re-key the certificate.

      1. Normally, reissuing an EV Code Signing Certificate revokes the original certificate after 48 hours, but in this case you need both versions of the certificate for the dual signing.

      2. Please note that anything signed with a revoked certificate will continue to be valid as long as it was timestamped when it was signed.

  2. Log into your DigiCert Management Console, and then click the Order # for your EV Code Signing Certificate.

  3. On the Manager Your EV Code Signing – Order # page, under Reissue Actions, click Re-Key Your Certificate.

  4. Open up a text editor (e.g., Notepad).

  5. On the Reissue - Re-Key EV Code Signing Certificate page, if you don’t already have the hardware installer on your computer, click the DigiCert Hardware Certificate Installer link to download it.

  6. Next, click Create New Initialization Code.

  7. On the Manager Your EV Code Signing – Order # page, next to Initialization Code, copy and paste the initialization code into your text editor.

How to Install Your SHA1 EV Code Signing Certificate on Your Token

Before using the steps in this instruction, make sure that you have installed the drivers for the token on your computer. If the drivers are not installed, the installation wizard asks you to stop the installation process and install the drivers before continuing.

  1. After you record the initialization code, on the Manager Your EV Code Signing – Order # page, next to Initialization Code, click the DigiCert Hardware Certificate Installer link to download and run the DigiCert Hardware Certificate Installer, if you don't already have it.

  2. In the DigiCert Hardware Certificate Installer wizard, on the Welcome page, click Next.

  3. On the License Agreement page, read the User License Agreement, check I accept and agree to the license agreement, and then, click Next.

  4. On the Initialization Code page, in the Initialization Code box, enter your initialization code that you previously recorded in your text editor and then, click Next.

  5. On the Token Detection page, plug in the token that has your SHA256 EV Code Signing Certificate on it.

    Note: Make sure that only one token is plugged in. If more than one token is plugged in, the wizard asks you to remove the tokens that are not being used for EV Code Signature Certificate installation.

  6. Next, the DigiCert Hardware Certificate Installer wizard analyzes your secure token device.

  7. When the wizard reports that your token has already been properly initialized with a token password, click Next.

    When you click Next, you will continue using the current token password. You will also be installing the SHA1 DigiCert EV Code Signing Certificate on the same token that your SHA256 EV Code Signing Certificate is already installed. Your token will then contain both certificates, making it easier to dual sign and keep track of both certificates.

  8. On the Token Password page, in the Token Password box, enter your password and then, click Finish.

  9. On the Certificate Installation page, after you receive four green check marks, click Close.

 

Verifying Your SHA1 and SHA256 EV Code Signing Certificates

Once you've installed both versions of the EV Code Signing Certificate on your token, you need to determine which certificate is the SHA256 and which is the SHA1. We recommend using our DigiCert Certificate Utility for Windows to make the verification process easier.

How to Verify the SHA1 and SHA2 Versions of Your EV Code Signing Certificates

  1. On your Windows workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Plug in the token with both versions of your EV Code Signing Certificate on it.

  3. Run the DigiCert Certificate Utility.

    Double-click DigiCertUtil.

  4. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), select the Code Signing Certificate with the signature hash you want to verify, and then, click View Certificate.

  5. In the Certificate window, select the Details tab and search for the Signature hash algorithm to identify if the certificate is using a sha256 or sha1 signature hash.

  6. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), right-click on the Code Signing Certificate with the signature hash you just checked, and then click Edit friendly name.

    Note: Good friendly names can help you easily identify each version of the EV Code Signing Certificate at a glance.

  7. In the Friendly Name box, enter a unique friendly name for that certificate to help you distinguish it from the other version of the Code Signing Certificate (e.g., yourCompany-SHA256 or yourCompany-SHA1).

  8. When you are finished, click Save.

  9. Repeat steps 4 through 8 to identify the second version of your Code Signing Certificate.

 

Building the Signing Commands and Signing Your Files

Now that both EV Code Signing Certificates have been identified, you need to build the command that you will use to sign your files with both versions of your EV Code Signing Certificate (SHA256 and SHA1).

Note: Make sure to use the latest version of signtool (6.3 or later) to avoid errors. To get signtool version 10.0, install Windows 10 SDK onto your computer.

How to Get Your EV Code Signing Certificates' Thumbprint

First you need to get the thumbprint from each version of your EV Code Signing Certificate (SHA256 and SHA1).

  1. On your Windows workstation, plug in the token with both versions of your EV Code Signing Certificate on it.

  2. Open up a text editor (e.g., Notepad).

  3. In DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), and right-click on your SHA256 EV Code Signing Certificate, and then, click Copy thumbprint to clipboard.

  4. After you receive the message that the thumbprint has been copied to the clipboard, paste the thumbprint for your SHA256 EV Code Signing Certificate in the text editor.

  5. Repeat the above steps 2 through 4 to get the thumbprint for the SHA1 EV Code Signing Certificate.

    Important: Make sure to note which thumbprint is the SHA256 and which one is the SHA1.

How to Build the Signing Commands and Sign Your Files

For all signtool command line options, refer to the Microsoft SignTool documentation. When using the SHA2 timestamp or /fd sha256, make sure to use the latest versions of signtool (6.3 or later).

Note: In step 3 below, replace XXSHA1CERTTHUMBPRINTXX with the thumbprint from the SHA1 version of your EV Code Signing Certificate that is in your text editor. Replace XXSHA256CERTTHUMBPRINTXX with the thumbprint from the SHA2 version of your EV Code Signing Certificate that is in your text editor.

  1. On your Windows workstation, plug in the token with both versions of your EV Code Signing Certificate on it.

  2. Open the Command Prompt as an admin.

    1. On the Windows Start screen/menu, type cmd.

    2. Right-click on Command Prompt and then click Run as administrator.

  3. In the Command Prompt, run the following commands to apply the SHA1 signature and append the SHA256 signature:

    • signtool sign /t http://timestamp.digicert.com /sha1 XXSHA1CERTTHUMBPRINTXX yourfile.exe

    • signtool sign /tr https://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 XXSHA256CERTTHUMBPRINTXX yourfile.exe

 

How to Verify the Digital Signatures

  1. Right-click on the application and then click Properties.

  2. Select the Digital Signatures tab to view the signing certificates and timestamps.

Buy an EV Code Signing Certificate Today!

Buy Now