signtool Dual Signing Failure

6

Question concerning a failure I'm having when attempting to dual sign with SHA1/SHA256.

I've had a SHA256 code signing certificate for a few years now, but before the new year (2016), I started using /fd SHA256 for the hashing algorithm to be compliant with Microsoft's deprecation of SHA1.

This worked fine, but of course the signature hash doesn't validate on older OS's. I don't care about XP, but I still sort of care about Vista.

I first sign for SHA1 using the following:

signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"

Then I try for my dual signature:

signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"

And signtool gives me this:


Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)

Now I can successfully sign a file with a single algorithm (Either SHA1 OR SHA256), but I can't add the second signature. My only guess is that because I'm using the SAME certificate for both algorithms it doesn't like that. Do I need to have a different physical certificate for each algorithm?

Just wondering because before the new year, I had been using a SHA256 certificate for years with a SHA1 algorithm and it validated fine on all Operating Systems.

sha1
sha256
signtool
asked on Stack Overflow Feb 7, 2016 by Jay Schwegler

1 Answer

1

This is from mis-matched dlls. signtool.exe needs the correct wintrust.dll and mssign32.dll otherwise I get 0x80070032 only when dual signing. This site has a 8.1 download so you don't need the whole SDK http://ksoftware.freshdesk.com/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files- signtool 8.1 is at http://cdn1.ksoftware.net/signtool_8.1.zip

answered on Stack Overflow May 12, 2017 by user1139455

User contributions licensed under CC BY-SA 3.0