I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. I tried to append the SHA-256 certificate, but this fails:
:: Signs with the SHA-1 certificate
signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
:: Signs with the SHA-2 certificate
signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
This fails with the error:
Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: my_app_here.exe
If I remove the timestamp URL from the second command, the signing completes successfully, but the SHA-2 signature has no timestamp. (Whether or not I put a timestamp on the first signature has no effect)
The intent here is to allow someone to verify the app with the stronger certificate if they are on an operating system that supports this, but to avoid failing validation on operating systems that don't support the stronger certificates (Vista, XP).
Is this kind of thing even possible?
SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.
The RFC 3161 URL for Symantec/Verisign is:
http://sha256timestamp.ws.symantec.com/sha256/timestamp
If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.
Source:
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With