Dual Code Signing

Dual Code Signing

Introduction

In some situations you may need to sign an application with two different signatures (hashing algorithms). This is usually when you want to sign an application that will be used on Windows 7 and Windows 10.

Windows 10 supports SHA256 Code Signing Certificates (SHA-2 hashing algorithm); whereas, Windows 7 may only support SHA-1 Code Signing Certificates (SHA-1 hashing algorithm). See Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.

This will mean that to sign a file which will be used on a Windows 7 machine (which hasn't been updated to the latest version) you will need to use our Standard Code Signing Certificate issued using the SHA1 algorithm option. However, in order for the file to be used on a Windows 10 machine it will need to signed either by a Standard Code Sign Certificate issued in SHA256 or an EV Code Signing Certificate.

Additional Information: 

EV Code Signing Certificates offer immediate SmartScreen reputation and is only issued in SHA256.

If a Standard Code Signing Certificate is used for both signatures,  only one Code Signing Certificate needs to be ordered, as the Certificate can be reissued in either hashing algorithm for free. Please follow the instructions in the guide linked to reissue your Certificate: Reissue Client Certificate 

Also its important to note that each individual copy of a Standard Code Signing Certificate will build its own SmartScreen reputation. So if you decide to reissue your standard Code Signing Certificate, your new Certificate will have no SmartScreen reputatuon and will need to be built from scratch.

Dual Signing Process

In order to sign your file with two different Code Signing Certificates, the normal signing command will need to be used twice. Note, this will however need to be slightly modified for each command.

In a standard signing process the command /a will be used. This command would automatically select the best Certificate to use to sign the file (refer to Important Signtool Options in this article for more information). Now that you will be signing twice using a different Certificate in each signing, the command used to select the Certificate will need to be different. However, now that you wish to dual sign with two different Certificates, the /a command will not work as it will select the same Certificate during each signing. This command will need to be replaced with a different command which allows you to manually specify the Certificate you want to use.

Method 1: If you are signing a file using two Certificates with different common names, replace the /a command with /n "your Certificate common name".

Method 2: If both of your Certificates have the same common name, replace the /a command with /sha1 Hash.

The hash is your Certificates thumbprint. An example of this command would be: /sha1 81c560ba1c8c9fe07e7f16f37960e87be5565696

Your thumbprint can be found following the guide below:

  1. Open your SafeNet Authentication Client
  2. Insert the token containing your installed Certificates
  3. Click the Gear Icon on the top right for Advanced View:


codesigning3.png

4) Browse to your Certificate as shown in the screenshot below and double click on it:

  codesigning3.png
  
5) This will then open the Certificate screen shown below:


codesigning5.png

6) Please then scroll to the bottom of the "Details" tab to find the Thumbprint of your Certificate. This can then be copied for later use in your signing command. The Hash for this particular Certificate would be: 81c560ba1c8c9fe07e7f16f37960e87be5565696

Prerequisites

Important SignTool Options

  • /ac  -  Specify an Additional Certificate.
  • /a  -  Automatically selects the best signing Certificate. Sign Tool will find all valid Certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing Certificate.
  • /n "Certificate Common Name" Specifies the Certificate to sign the file from your Windows Certificate Store using the Certificate common name.
  • /fd SHA256  -  Specify the file digest algorithm used in creating file signatures.
  • /t  -  Specify a Microsoft Authenticode compatible time stamp server.
  • /tr  -  Specify an RFC 3161 compliant trusted time stamp server.*Recommended*
  • /td SHA256  -  Must be called after "/tr", this command specifies the TimeStamp digest Algorithm. *Recommended*
  • /sha1 Hash  - Used to select the signing Certificate by the SHA-1 Hash (Thumbprint).                                 

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the Certificate itself has expired.

TimeStamp URLs:
SHA-1 based: http://rfc3161timestamp.globalsign.com/standard
SHA-2 based: http://rfc3161timestamp.globalsign.com/advanced

Procedure

  1. You can either sign files out of a working directory, or you can place them in your Windows SDK\bin folder.
  2. Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8, press the Windows Key, then type cmd and press enter.
  3. Navigate to the directory with signtool.exe.
  4. Use the following command to sign your file: 
    signtool sign /sha1 Hash /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 c:/path/to/your/file.exe
  5. Then Sign your file again using the command below with the Hash of the second Certificate: 
    signtool sign /as /sha1 Hash /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 /fd SHA256 c:/path/to/your/file.exe
    Note: For Kernel Driver Signing include the argument “/ac GlobalSign Root CA.crt” to the signtool command in order to complete the MS Cross Certificate chain. sign /sha1 Hash /ac GlobalSign Root CA.crt /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 c:/path/to/your/file.exe
  6. Enter your Token Password. If the signing is successful you will see a prompt informing you so.
  7. To verify the successful signature use the following commands:
    Authenticode:  signtool verify /v /pa
    Kernel Driver Signing:  signtool verify /v /kp

 You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.