Feb 21, 2024
Disclaimer: Since Windows 7 has been patched to support SHA-2 signatures, GlobalSign has followed the mandated cessation of issuance of SHA-1 CodeSigning Certificates since early 2021. This article remains available for customers who still have active SHA-1 Certificates and may use them for other purposes.
Note: Starting January 26, 2021, GlobalSign will no longer offer SHA-1 Authenticode and CodeSign Timestamping services.
In some situations you may need to sign an application with two different signatures (hashing algorithms). This is usually when you want to sign an application that will be used on Windows 7 and Windows 10.
Windows 10 supports SHA256 Code Signing Certificates (SHA-2 hashing algorithm); whereas, Windows 7 may only support SHA-1 Code Signing Certificates (SHA-1 hashing algorithm). See Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.
This will mean that to sign a file which will be used on a Windows 7 machine (which hasn't been updated to the latest version) you will need to use our Standard Code Signing Certificate issued using the SHA1 algorithm option. However, in order for the file to be used on a Windows 10 machine it will need to signed either by a Standard Code Sign Certificate issued in SHA256 or an EV Code Signing Certificate.
EV Code Signing Certificates offer immediate SmartScreen reputation and is only issued in SHA256.
If a Standard Code Signing Certificate is used for both signatures, only one Code Signing Certificate needs to be ordered, as the Certificate can be reissued in either hashing algorithm for free. Please follow the instructions in the guide linked to reissue your Certificate: Reissue Client Certificate
Also its important to note that each individual copy of a Standard Code Signing Certificate will build its own SmartScreen reputation. So if you decide to reissue your standard Code Signing Certificate, your new Certificate will have no SmartScreen reputatuon and will need to be built from scratch.
In order to sign your file with two different Code Signing Certificates, the normal signing command will need to be used twice. Note, this will however need to be slightly modified for each command.
In a standard signing process the command /a will be used. This command would automatically select the best Certificate to use to sign the file (refer to Important Signtool Options in this article for more information). Now that you will be signing twice using a different Certificate in each signing, the command used to select the Certificate will need to be different. However, now that you wish to dual sign with two different Certificates, the /a command will not work as it will select the same Certificate during each signing. This command will need to be replaced with a different command which allows you to manually specify the Certificate you want to use.
Method 1: If you are signing a file using two Certificates with different common names, replace the /a command with /n "your Certificate common name".
Method 2: If both of your Certificates have the same common name, replace the /a command with /sha1 Hash.
The hash is your Certificates thumbprint. An example of this command would be: /sha1 81c560ba1c8c9fe07e7f16f37960e87be5565696
Your thumbprint can be found following the guide below:
Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the Certificate itself has expired.
SHA-2 based: http://timestamp.globalsign.com/tsa/r6advanced1
You may also verify the signature within the properties of the file, under the Digital Signatures tab.