We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.
Using the Windows 8 SDK's signtool:
e.g.:
signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"
(where XXXXXXX is our password for the certificate)
fails with the cryptic error:
SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll
Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.
I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?
The issue is actually way simpler.
The problem is with the time stamp server.
Instead of using signtool.exe with this
You need to use it like this for SHA1
And for SHA256
Try using
/tr is for RFC3161 timestamping, /td obviously for the hash to use.
I also get the above error, however It works with the osslsigncode utility when using the '-nest' option:
The official project is for Unix, however I've knocked up my own windows fork.
I think this link has some nice pointers. Some of it is mentioned in the answer by martin_costello, but this article provides some more details. In particular:
(I haven't tested all this myself though.)
I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:
Note that the SHA-1 thumbprints are explicitly specified for each signing step using the
/sha1
switch and that/as
is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.
Updated 29/12/15:
The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:
Updated 30/12/2015
To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:
I know it's a bit old, but I landed in this thread and maybe someone else will too.
It will work if you sign first with SHA1 and then with SHA256:
It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.