signtool Dual Signing Failure

Question

Question concerning a failure I'm having when attempting to dual sign with SHA1/SHA256.

I've had a SHA256 code signing certificate for a few years now, but before the new year (2016), I started using /fd SHA256 for the hashing algorithm to be compliant with Microsoft's deprecation of SHA1.

This worked fine, but of course the signature hash doesn't validate on older OS's. I don't care about XP, but I still sort of care about Vista.

I first sign for SHA1 using the following:

signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"

Then I try for my dual signature:

signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"

And signtool gives me this:

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)

Now I can successfully sign a file with a single algorithm (Either SHA1 OR SHA256), but I can't add the second signature. My only guess is that because I'm using the SAME certificate for both algorithms it doesn't like that. Do I need to have a different physical certificate for each algorithm?

Just wondering because before the new year, I had been using a SHA256 certificate for years with a SHA1 algorithm and it validated fine on all Operating Systems.

Answer 1

This is from mis-matched dlls. signtool.exe needs the correct wintrust.dll and mssign32.dll otherwise I get 0x80070032 only when dual signing. This site has a 8.1 download so you don't need the whole SDK http://ksoftware.freshdesk.com/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files- signtool 8.1 is at http://cdn1.ksoftware.net/signtool_8.1.zip

Answer 2

I had the same issue, and that signtool from SDK 8.1 (6.3.9600.17298) seems to be VERY particular about the order of command line options !

If I used signtool sign /v /f my.pfx /p 1234 /fd sha256 /as test.exe

Dual-signing failed with this error: "Multiple signature support is not implemented for this filetype"
which is actually the same error as the one from W10 SDK since -2147024846/0x80070032 translates to (HRESULT)ERROR_NOT_SUPPORTED

BUT, if I used signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exe it worked !

See what I did there? I just swapped the order of /as and /fd sha256 !

I mean this this stuff is just nightmare fuel when you are working on something important and then when it's time for production it just doesn't work for seemingly no reason. Luckily that was not the case this time as I was just testing but I thought I was going mad since I first got it to work once, but not again.

To be clear, this is the exact order how I could dual-sign files with SHA1 and SHA256, using the signtool.exe from Windows 8.1 SDK, available here (The one from W10 SDK still does not work, and the one from V7.1 SDK does not support multiple signatures at all)

1. Sign with SHA1: signtool sign /v /f my.pfx /p 1234 test.exe
2. Sign with SHA256: signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exe