The quick and easy way is to use the new kSign 3 utility ! For more information - click here to read the kSign article.
Dual signing attaches both a SHA1 and a SHA256 signature in to a PE format file. PE format files are .EXE .DLL .OCX -- MSI and other file formats typically do not support dual signing. The purpose of dual signing is to provide support from a single file on legacy platforms, like Windows XP and Windows Server -- operating systems that don't typically fully support SHA256 signatures.
What versions of Windows support SHA-256 signatures?
SHA-256 signatures are not supported at all on Windows XP SP2 or earlier. SHA-256 is only supported in User Mode for Windows XP SP 3, Vista and Windows Server 2008R1 -- SHA-256 certificates are not supported for drivers on any version prior to Windows 7. HOWEVER -- Windows XP SP3 and Windows Vista do NOT support SHA256 timestamps or file digests so dual-signing is needed to support those platforms, even if you only have a SHA256 certificate.
In order to support Windows XP SP3 and Windows Vista you need to dual sign and include an SHA1 file digest. Like this :
signtool.exe sign /f MyCert.pfx /p <PFX password> /t http://timestamp.comodoca.com /v foo.exe
signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe
Run BOTH of those signtool.exe commands.
*** Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.
Note that you do need the 6.3 version of Signtool to do this. It comes with the Windows 8.1 SDK, or download here..
If you want to include a FULL SHA1 signature (to support even older Windows versions) - use two different certificates :
signtool.exe sign /f MySHA1Cert.pfx /p <PFX password> /t http://timestamp.comodoca.com /v foo.exe
signtool.exe sign /f MySHA256Cert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe
What about supporting versions of Windows that don't support SHA-256?
If you want to support Windows XP SP2 or earlier, you should dual-sign your EXEs, DLLs and other files. This will require an SHA-1 based certificate**
Currently Microsoft's Signtool is the most effective way of accomplishing that, though our signing tool kSign will have dual signing support VERY soon.
If you wish to dual-sign you may do so with the 6.3 version of signtool that comes with windows 8.1 SDK.
signtool.exe sign /f MyCert.pfx /t <URL to SHA-1 Authenticode timestamp server> /v foo.exe
signtool.exe sign /f MyCert.pfx /fd sha256 /tr <URL to SHA-2 RFC-3161 timestamp server> /td sha256 /as /v foo.exe
* Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.
For SHA-256 timestamps, use Comodo's SHA256 timestamp server: http://timestamp.comodoca.com/?td=sha256
** We can supply a new SHA1 certificate for use with legacy systems if you've purchased your SHA256 certificate through us. Please contact firstname.lastname@example.org for the details, and be sure you include your current order number.