The quick and easy way is to use the new kSign 3 utility ! For more information - click here to read the kSign article.


Dual signing attaches both a SHA1 and a SHA256 signature in to a PE format file. PE format files are .EXE .DLL .OCX -- MSI and other file formats typically do not support dual signing. The purpose of dual signing is to provide support from a single file on legacy platforms, like Windows XP and Windows Server -- operating systems that don't typically fully support SHA256 signatures.



 What versions of Windows support SHA-256 signatures?

SHA-256 signatures are not supported at all on Windows XP SP2 or earlier. SHA-256 is only supported in User Mode for Windows XP SP 3, Vista and Windows Server 2008R1 -- SHA-256 certificates are not supported for drivers on any version prior to Windows 7. HOWEVER -- Windows XP SP3 and Windows Vista do NOT support SHA256 timestamps or file digests so dual-signing is needed to support those platforms, even if you only have a SHA256 certificate.

In order to support Windows XP SP3 and Windows Vista you need to dual sign and include an SHA1 file digest. Like this :

signtool.exe sign /f MyCert.pfx /p <PFX password> /t http://timestamp.comodoca.com/?td=sha256 /v foo.exe

signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe

Run BOTH of those signtool.exe commands.

**PLEASE NOTE: As of May 30th 2020, SHA1 timestamping is effectively deprecated as the SHA1 roots have expired. Use only the SHA256 timestamp server from now on - http://timestamp.comodoca.com/?td=sha256.


*** Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.

Note that you do need the 6.3 version of Signtool to do this. It comes with the Windows 8.1 SDK, or download here..

If you want to include a FULL SHA1 signature (to support even older Windows versions) - use two different certificates :

signtool.exe sign /f MySHA1Cert.pfx /p <PFX password> /t http://timestamp.comodoca.com/?td=sha256 /v foo.exe

signtool.exe sign /f MySHA256Cert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe



What about supporting versions of Windows that don't support SHA-256?

If you want to support Windows XP SP2 or earlier, you should dual-sign your EXEs, DLLs and other files. This will require an SHA-1 based certificate**

Currently Microsoft's Signtool is the most effective way of accomplishing that, though our signing tool kSign will have dual signing support VERY soon.

If you wish to dual-sign you may do so with the 6.3 version of signtool that comes with windows 8.1 SDK.

 

signtool.exe sign /f MyCert.pfx  /t <URL to SHA-1 Authenticode timestamp server> /v foo.exe

 


 

signtool.exe sign /f MyCert.pfx  /fd sha256 /tr <URL to SHA-2 RFC-3161 timestamp server> /td sha256 /as /v foo.exe


 

* Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.

 


For SHA-256 timestamps, use Comodo's SHA256 timestamp server: http://timestamp.comodoca.com/?td=sha256