Question concerning a failure I'm having when attempting to dual sign with SHA1/SHA256.
I've had a SHA256 code signing certificate for a few years now, but before the new year (2016), I started using /fd SHA256 for the hashing algorithm to be compliant with Microsoft's deprecation of SHA1.
This worked fine, but of course the signature hash doesn't validate on older OS's. I don't care about XP, but I still sort of care about Vista.
I first sign for SHA1 using the following:
signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"
Then I try for my dual signature:
signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"
And signtool gives me this:
Done Adding Additional Store SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
Now I can successfully sign a file with a single algorithm (Either SHA1 OR SHA256), but I can't add the second signature. My only guess is that because I'm using the SAME certificate for both algorithms it doesn't like that. Do I need to have a different physical certificate for each algorithm?
Just wondering because before the new year, I had been using a SHA256 certificate for years with a SHA1 algorithm and it validated fine on all Operating Systems.
This is from mis-matched dlls. signtool.exe needs the correct wintrust.dll and mssign32.dll otherwise I get 0x80070032 only when dual signing. This site has a 8.1 download so you don't need the whole SDK http://ksoftware.freshdesk.com/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files- signtool 8.1 is at http://cdn1.ksoftware.net/signtool_8.1.zip
User contributions licensed under CC BY-SA 3.0