Dual Sign Your Software File Using SHA-256 & SHA – 1 Code Signing Certificate
Many times, it happens that software developers build software that runs on multiple operating systems. For instance, software built for Windows 10 and 8 will even run on earlier versions such as Windows Vista.
However, one issue arises: newer versions of operating systems support SHA – 256, and earlier versions like Windows Vista can support only the SHA – 1 hashing algorithm. And, due to this issue, software fails on older Windows operating systems.
So, if you’re in such a situation and want your software to run on both newer and older versions of the Windows operating system, it’s better to dual sign your software file with SHA – 256 and SHA – 1 code signing certificates.
Likewise, you’ll first need to sign your software/application using SHA – 256 Code Signing Certificate. Then, once you signed it, you’ll need to affix a second signature using SHA – 1 code signing certificate.
Put simply, the main reason to dual sign your software/application file is to support it with a single file on earlier operating systems like Windows Vista that isn’t compatible with the SHA – 256 signatures.
Dual Signing Your Software/Application Using SHA – 256 & SHA – 1 Code Signing Certificate
However, to dual sign your software/application file and to insert SHA – 1 file on earlier operating system like Windows Vista below are the commands:
signtool.exe sign /f SignMyCode.pfx /p /t http://timestamp.certificate-authority-name.com /v MyCodeSign.exe signtool.exe sign /f SignMyCode.pfx /p /fd sha256 /tr http://timestamp.certificate-authority-name.com/?td=sha256 /td sha256 /as /v MyCodeSign.exeHere,
- MyCodeSign is an example software/application file. Simply replace it with the software file you want to sign.
- SignMyCode.pfx file is a certificate file.
- Signtool.exe is a command-line tool that digitally signs your application/software file and verifies the signatures and timestamps.
Command for Full SHA – 1 Compatibility
Likewise, for full SHA 1 compatibility you’ll require to use two certificates. And, below is the command for the same:
signtool.exe sign /f SignMyCodeSHA1Crt.pfx /p /t http://timestamp.certificate-authority-name.com /v MyCodeSign.exe signtool.exe sign /f SignMyCodeSHA256Crt.pfx /p /fd sha256 /tr https://timestamp.certificate-authority-name.com/?td=sha256 /td sha256 /as /v MyCodeSign.exeHere,
- Change https://timestamp.certificate-authority-name.com with the Timestamp URL of the Certificate Authority from whom you purchased your code signing certificate.
- If you’re entering a password to decrypt your P12/PFX file, then you’ll need to add extra arguments through signtool.exe.
- For dual signing your software/application file, you’ll need to use the latest available Signtool or else version, which is 6.3 or above.
Furthermore, suppose you want to support other older versions of the Windows operating system, such as Windows XP SP2 or other earlier versions. In that case, you’ll also require to dual sign DLLs, EXEs, and all other related files, as well as you’ll also need an SHA – 1 based code signing certificate.
signtool.exe sign /f SignMyCodeCrt.pfx /t /v MyCodeSign.exesigntool.exe sign /f SignMyCodeCrt.pfx /fd sha256 /tr /td sha256 /as /v MyCodeSign.exeNote: As mentioned above, you may require to add extra arguments in the command-line tool signtool.exe. For instance, you’ll have to add an extra argument if you want to add a password for PFX/P12 file decryption.
Finally, once the signing process completes, it’s recommended that you verify it once. So, you can stay assure whether it creates any issues or not.
And, to verify go through the below-mentioned steps:
- Select and right-click on the dual signed software/application. And go to Properties.
- Once the property window opens, go to the Digital Signatures tab. If it’s dual signed, you should see both the signing certificates SHA -1 and SHA – 256 and the timestamps of each, if you’ve timestamped it.
If everything worked as it should, then you’ll see something as shown in the above image.
Wrapping Up
Nowadays, people have upgraded their systems with the latest available operating system. However, some people use the old operating system due to some reason.
And, as a software developer, if you’re building software for someone or want your software to be accepted by all the latest and earlier versions of operating systems like Windows Vista or Windows 10. Then in such scenarios, dual signing is a must because earlier operating systems aren’t compatible with the SHA – 2 signatures.
Lastly, if you’ve read till here, we hope this article has helped you dual signing your software/application file so that it can run smoothly on both the latest and older Windows operating system versions.
FAQ
What Is Dual Signing in Code Signing?
For signing your software or application file with two code signing certificates, you will need to use the command for code signing twice. Though, in dual signing, the command is slightly changed. Likewise, which command to use is mentioned above.
What Is SignTool?
SignTool is a tool used for digitally signing, verifying the digital signature, and timestamping software/application files with the help of specific commands. Likewise, it’s installed within the \Bin folder of the Microsoft Windows Software Development Kit (SDK).
For instance, C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe.
What Is SHA – 2?
SHA – 2 (Secure Hash Algorithm – 2) is a hashing algorithm and an advanced version of the SHA – 1 hash algorithm that features better security. In other words, SHA – 2 is the replacement and advancement of the SHA – 1 algorithm that is known for better security compared to its predecessor SHA -1.
What Is SHA – 1?
SHA -1 is a cryptographic hash algorithm known for taking input and producing a 160-bit (20 bytes) hash value called a message digest. However, from 2005 onwards, it’s considered less secure, and in 2011 it formally got deprecated.
