Menu

Dual Code Signing

Feb 21, 2024

Dual Code Signing

Disclaimer: Since Windows 7 has been patched to support SHA-2 signatures, GlobalSign has followed the mandated cessation of issuance of SHA-1 CodeSigning Certificates since early 2021. This article remains available for customers who still have active SHA-1 Certificates and may use them for other purposes.

Note: Starting January 26, 2021, GlobalSign will no longer offer SHA-1 Authenticode and CodeSign Timestamping services.

Introduction

In some situations you may need to sign an application with two different signatures (hashing algorithms). This is usually when you want to sign an application that will be used on Windows 7 and Windows 10.

Windows 10 supports SHA256 Code Signing Certificates (SHA-2 hashing algorithm); whereas, Windows 7 may only support SHA-1 Code Signing Certificates (SHA-1 hashing algorithm). See Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.

This will mean that to sign a file which will be used on a Windows 7 machine (which hasn't been updated to the latest version) you will need to use our Standard Code Signing Certificate issued using the SHA1 algorithm option. However, in order for the file to be used on a Windows 10 machine it will need to signed either by a Standard Code Sign Certificate issued in SHA256 or an EV Code Signing Certificate.

Additional Information: 

EV Code Signing Certificates offer immediate SmartScreen reputation and is only issued in SHA256.

If a Standard Code Signing Certificate is used for both signatures,  only one Code Signing Certificate needs to be ordered, as the Certificate can be reissued in either hashing algorithm for free. Please follow the instructions in the guide linked to reissue your Certificate: Reissue Client Certificate 

Also its important to note that each individual copy of a Standard Code Signing Certificate will build its own SmartScreen reputation. So if you decide to reissue your standard Code Signing Certificate, your new Certificate will have no SmartScreen reputatuon and will need to be built from scratch.

Dual Signing Process

In order to sign your file with two different Code Signing Certificates, the normal signing command will need to be used twice. Note, this will however need to be slightly modified for each command.

In a standard signing process the command /a will be used. This command would automatically select the best Certificate to use to sign the file (refer to Important Signtool Options in this article for more information). Now that you will be signing twice using a different Certificate in each signing, the command used to select the Certificate will need to be different. However, now that you wish to dual sign with two different Certificates, the /a command will not work as it will select the same Certificate during each signing. This command will need to be replaced with a different command which allows you to manually specify the Certificate you want to use.

Method 1: If you are signing a file using two Certificates with different common names, replace the /a command with /n "your Certificate common name".

Method 2: If both of your Certificates have the same common name, replace the /a command with /sha1 Hash.

The hash is your Certificates thumbprint. An example of this command would be: /sha1 81c560ba1c8c9fe07e7f16f37960e87be5565696

Your thumbprint can be found following the guide below:

  1. Open your SafeNet Authentication Client
  2. Insert the token containing your installed Certificates
  3. Click the Gear Icon on the top right for Advanced View:

    codesigning3.png
  4. Browse to your Certificate as shown in the screenshot below and double click on it:

    codesigning3.png
  5. This will then open the Certificate screen shown below:

    codesigning5.png
  6. Please then scroll to the bottom of the "Details" tab to find the Thumbprint of your Certificate. This can then be copied for later use in your signing command. The Hash for this particular Certificate would be: 81c560ba1c8c9fe07e7f16f37960e87be5565696

Prerequisites

  • GlobalSign Code Signing Certificate Downloaded & Installed onto a hardware token.
  • Windows Software Development Kit (SDK) For Windows 8.1
  • SHA-256 orders additionally use the R1-R3 Cross Certificate – default March 31, 2014 & after. (The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional Certificate during the signing procedure)

Important SignTool Options

  • /ac  -  Specify an Additional Certificate.
  • /a  -  Automatically selects the best signing Certificate. Sign Tool will find all valid Certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing Certificate.
  • /n "Certificate Common Name" Specifies the Certificate to sign the file from your Windows Certificate Store using the Certificate common name.
  • /fd SHA256  -  Specify the file digest algorithm used in creating file signatures.
  • /t  -  Specify a Microsoft Authenticode compatible time stamp server.
  • /tr  -  Specify an RFC 3161 compliant trusted time stamp server.*Recommended*
  • /td SHA256  -  Must be called after "/tr", this command specifies the TimeStamp digest Algorithm. *Recommended*
  • /sha1 Hash  - Used to select the signing Certificate by the SHA-1 Hash (Thumbprint).                                 

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the Certificate itself has expired.

TimeStamp URLs:
SHA-2 based: http://timestamp.globalsign.com/tsa/r6advanced1

Procedure

  1. You can either sign files out of a working directory, or you can place them in your Windows SDK\bin folder.
  2. Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8, press the Windows Key, then type cmd and press enter.
  3. Navigate to the directory with signtool.exe.
  4. Use the following command to sign your file: 
    signtool sign /sha1 Hash /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 c:/path/to/your/file.exe
  5. Then Sign your file again using the command below with the Hash of the second Certificate: 
    signtool sign /as /sha1 Hash /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /fd SHA256 c:/path/to/your/file.exe
  6. Enter your Token Password. If the signing is successful you will see a prompt informing you so.
  7. To verify the successful signature use the following commands:
    Authenticode:  signtool verify /v /pa
    Kernel Driver Signing:  signtool verify /v /kp

 You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Related Articles

Code Signing Best Practices

Mar 2, 2020, 6:33 AM

GlobalSign recommends that developers follow best practices for the Code Signing process and for securely generating and storing private keys.

Read More

Ordering an EV Code Signing Certificate (HSM-Based)

Mar 2, 2020, 6:51 AM

The following article will walk you through the ordering process of an EV Code Signing Certificate (HSM-Based). If this is not the solution you are looking for...

Read More

How to download and install EV & OV Code Signing Certificate (HSM-Based)

Mar 2, 2020, 7:10 AM

The following article will walk you through downloading and installing your EV Code Signing Certificate (HSM-Based). At the completion of this procedure your Certificate...

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support