(5 votes, average: 4.00 out of 5)
Many times, it happens that software developers build software that runs on multiple operating systems. For instance, software built for Windows 10 and 8 will even run on earlier versions such as Windows Vista.
However, one issue arises: newer versions of operating systems support SHA – 256, and earlier versions like Windows Vista can support only the SHA – 1 hashing algorithm. And, due to this issue, software fails on older Windows operating systems.
So, if you’re in such a situation and want your software to run on both newer and older versions of the Windows operating system, it’s better to dual sign your software file with SHA – 256 and SHA – 1 code signing certificates.
Likewise, you’ll first need to sign your software/application using SHA – 256 Code Signing Certificate. Then, once you signed it, you’ll need to affix a second signature using SHA – 1 code signing certificate.
Put simply, the main reason to dual sign your software/application file is to support it with a single file on earlier operating systems like Windows Vista that isn’t compatible with the SHA – 256 signatures.
However, to dual sign your software/application file and to insert SHA – 1 file on earlier operating system like Windows Vista below are the commands:
signtool.exe sign /f SignMyCode.pfx /p /t http://timestamp.certificate-authority-name.com /v MyCodeSign.exe signtool.exe sign /f SignMyCode.pfx /p /fd sha256 /tr http://timestamp.certificate-authority-name.com/?td=sha256 /td sha256 /as /v MyCodeSign.exe
Likewise, for full SHA 1 compatibility you’ll require to use two certificates. And, below is the command for the same:
signtool.exe sign /f SignMyCodeSHA1Crt.pfx /p /t http://timestamp.certificate-authority-name.com /v MyCodeSign.exe signtool.exe sign /f SignMyCodeSHA256Crt.pfx /p /fd sha256 /tr https://timestamp.certificate-authority-name.com/?td=sha256 /td sha256 /as /v MyCodeSign.exe
Furthermore, suppose you want to support other older versions of the Windows operating system, such as Windows XP SP2 or other earlier versions. In that case, you’ll also require to dual sign DLLs, EXEs, and all other related files, as well as you’ll also need an SHA – 1 based code signing certificate.
signtool.exe sign /f SignMyCodeCrt.pfx /t /v MyCodeSign.exe
signtool.exe sign /f SignMyCodeCrt.pfx /fd sha256 /tr /td sha256 /as /v MyCodeSign.exe
Note: As mentioned above, you may require to add extra arguments in the command-line tool signtool.exe. For instance, you’ll have to add an extra argument if you want to add a password for PFX/P12 file decryption.
Finally, once the signing process completes, it’s recommended that you verify it once. So, you can stay assure whether it creates any issues or not.
And, to verify go through the below-mentioned steps:
If everything worked as it should, then you’ll see something as shown in the above image.
Nowadays, people have upgraded their systems with the latest available operating system. However, some people use the old operating system due to some reason.
And, as a software developer, if you’re building software for someone or want your software to be accepted by all the latest and earlier versions of operating systems like Windows Vista or Windows 10. Then in such scenarios, dual signing is a must because earlier operating systems aren’t compatible with the SHA – 2 signatures.
Lastly, if you’ve read till here, we hope this article has helped you dual signing your software/application file so that it can run smoothly on both the latest and older Windows operating system versions.
For signing your software or application file with two code signing certificates, you will need to use the command for code signing twice. Though, in dual signing, the command is slightly changed. Likewise, which command to use is mentioned above.
SignTool is a tool used for digitally signing, verifying the digital signature, and timestamping software/application files with the help of specific commands. Likewise, it’s installed within the \Bin folder of the Microsoft Windows Software Development Kit (SDK).
For instance, C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe.
SHA – 2 (Secure Hash Algorithm – 2) is a hashing algorithm and an advanced version of the SHA – 1 hash algorithm that features better security. In other words, SHA – 2 is the replacement and advancement of the SHA – 1 algorithm that is known for better security compared to its predecessor SHA -1.
SHA -1 is a cryptographic hash algorithm known for taking input and producing a 160-bit (20 bytes) hash value called a message digest. However, from 2005 onwards, it’s considered less secure, and in 2011 it formally got deprecated.