signtool failing to dual sign SHA2 and SHA1 with timestamps

Asked 30/8, 2013 at 22:9 Answered 14/1, 2017 at 23:34

windows sha256 authenticode signtool verisign

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.

Using the Windows 8 SDK's signtool:

e.g.:

signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"

(where XXXXXXX is our password for the certificate)

fails with the cryptic error:

SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll

Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.

I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?

Deluca answered 30/8, 2013 at 22:9 Comment(0)

I know it's a bit old, but I landed in this thread and maybe someone else will too.

It will work if you sign first with SHA1 and then with SHA256:

signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password

It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.

Scarification answered 17/9, 2015 at 21:22 Comment(2)

Thanks, this helped! It worked for me with and MIS using signtool Windows 8.1 SDK as long as I did it in this order. The MSI shows trusted on Windows 2008. – Canice 8/1, 2016 at 21:37

This says "Note that you do need the 6.3 version of Signtool to do this. It comes with the Windows 8.1 SDK". – Elianaelianora 20/4, 2016 at 10:1

I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.

The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.

Updated 29/12/15:

The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:

signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Updated 30/12/2015

To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:

signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"

Bitchy answered 5/6, 2015 at 16:25 Comment(6)

does this mean, one needs to buy two different certificates? or is it enough to copy and rename? – Tobin 30/6, 2015 at 13:29

Yes it does unfortunately (unless anyone knows better). I couldn't get a SHA-256 certificate used to generate a SHA-1 signature to be accepted as valid on Windows Server 2008. – Bitchy 30/6, 2015 at 15:14

Any chance you could update with the format of the thumbprint? Simply copying the string from certmgr.msc doesn't work. – Catbird 29/12, 2015 at 13:18

I'll update with a comment about that. From memory it's all capitals and with no spaces. – Bitchy 29/12, 2015 at 15:45

I'm wondering what's the /du command switch for? I know that it adds a URL, but where is it used? I don't see it anywhere in the signature or in the UAC popup. – Eer 6/11, 2022 at 9:34

I think it's not fully shown in the Windows UI anymore, but if I look at the Advanced tab for the .NET host which is Authenticode signed on my machine, I can see a URL within the 1.3.6.1.4.1.311.2.1.12 authenticated attribute of http://www.microsoft.com. – Bitchy 6/11, 2022 at 11:44

The issue is actually way simpler.

The problem is with the time stamp server.

Instead of using signtool.exe with this

/t http://timestamp.comodoca.com

You need to use it like this for SHA1

/tr http://timestamp.comodoca.com /td sha1

And for SHA256

/tr http://timestamp.comodoca.com/?td=sha256 /td sha256

Thorny answered 14/1, 2017 at 23:34 Comment(0)

Try using

signtool.exe sign /as /fd sha256 /tr http://timestamp.geotrust.com /td sha256 /f certificate.pfx /p XXXXXX file.dll

/tr is for RFC3161 timestamping, /td obviously for the hash to use.

Kelvinkelwen answered 27/9, 2013 at 21:29 Comment(0)

Adding to martin_costello answer, XP and Vista do not support the RFC timestamp. You need to use the /t option for sha1 signatures.

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Intarsia answered 31/8, 2015 at 16:1 Comment(0)

I also get the above error, however It works with the osslsigncode utility when using the '-nest' option:

osslsigncode sign -pkcs12 cert1.pfx -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in original.exe -out intermediate.exe
osslsigncode sign -pkcs12 cert2.pfx -nest -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in intermediate.exe -out final.exe

The official project is for Unix, however I've knocked up my own windows fork.

Freefloating answered 24/4, 2015 at 7:35 Comment(0)

I think this link has some nice pointers. Some of it is mentioned in the answer by martin_costello, but this article provides some more details. In particular:

'Dual signing and include an SHA1 file digest' is possible if you sign SHA1 first, and use /as for the SHA256. It only works with signtool v6.3 from the Windows 8.1 SDK (or later) though.
Dual signing with 'a FULL SHA1 signature', needed for windows version before XP sp3, requires 2 different certificates.

(I haven't tested all this myself though.)

Elianaelianora answered 20/4, 2016 at 10:11 Comment(0)

Recommended topics

Hot tags