Reputation: 1526
We need to sign a dll file with SHA1 & SHA2 (to obtain prior to Win XP SP3 signing cert with SHA1 and post Win XP SP3 OS's with highest security of SHA2). I found an article that says to do something like the below, but I can't get it to work (show 2 certs in Win 8). For an example of what I mean by a dual signed dll, look at the certificate of the System.Data.dll in the .NET framework 4.0 in Windows 8, and you'll see a SHA1 & SHA2 certificate in the properties window.
Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)
http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734(v=vs.11).aspx
Does anyone know how to do this? Thanks! -jp
Upvotes: 7
Views: 3354
Reputation: 51
Key point is using the /as switch on the secondary sign step to "append signature". If you don't include that, it'll just overwrite the first signature.
Upvotes: 3
Reputation: 1526
I figured this out. Below is how you do this. Hope this helps someone else out:
signtool sign /fd sha1 /f sha1cert.pfx /p password file.dll
signtool sign /as /fd sha256 /f sha2cert.pfx /p password file.dll
*have to use at least a VS2012 developer command prompt for SHA2 signing
Upvotes: 9