locked
Dual signing. SHA1 and SHA256 on ps1 and msi files RRS feed

  • Question

  • Hi,

    I'm using  signtool.exe and  I'm trying to dual-signed with SHA1 and SHA256 the .exe, .ocx, .dll, .cab, .msi and .ps1 files

    I have no problem with .exe, .ocx, .dll, .cab and when i look at the properties i see there are two certificate, one for SHA1 and one for SHA256

    But when i try to dual-sign my .msi and .ps1 files signtool refuses to add a second signature and i have the following error:
    "SignTool Error: Multiple signature support is not implemented for this filetype."

    It seems there is a problem with SHA256 on .ps1 and msi files.

    I tried to add only SHA256 signature and on .msi files i always have the same error (multiple...) instead on ps1 files signtool seems OK (DOne Adding Additional Store) but if i look at the property the file has no Digital Signature

    I tried on a win7 machine and on a win10 machine so it should not be a o.s problem
    Signtool.exe version : 6.3.9600.16384 and 10.0.10586.15

    Ideas ? Is there some signtool version that does not have this problem ?

    Thank you

    Michela

    Tuesday, December 15, 2015 11:56 AM

Answers

  • Hi Michela,

    >>SignTool Error: Multiple signature support is not implemented for this filetype.

    Based on your error, I tried to search a lot. Here I found a similar thread.

    sha1 / sha256 dual-signing for MSI

    Here is a reply from keeely

    I was just explaining that the error message, namely "Multiple signature support is not implemented for this filetype" is returned from filetypes that can definitely be dual-signed, i.e. PE files, in some circumstances.  It folllows that the same may occur for MSI files as well, although since I wrote that I also tried MSI files and failed to dual-sign them, perhaps making my post less useful!

    This thread: https://github.com/mumble-voip/mumble/issues/1308 suggests that there is a way of doing this, although in my case I don't want to use non-Microsoft tools.

    Hope this helps.

    Have a nice day!

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by Kristin Xie Tuesday, December 22, 2015 3:13 AM
    • Marked as answer by DotNet Wang Friday, December 25, 2015 3:02 AM
    Wednesday, December 16, 2015 2:05 AM
  • Thank, i found the same article and now this one from microsoft:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

    Msi files cannot be signed with SHA256

    And ps1 can be signed with SHA256 with powershell script, so i have to dismiss signtool :(

    Thank you Kristin

    • Proposed as answer by Kristin Xie Tuesday, December 22, 2015 3:13 AM
    • Marked as answer by DotNet Wang Friday, December 25, 2015 3:02 AM
    Friday, December 18, 2015 3:46 PM

All replies

  • Hi Michela,

    >>SignTool Error: Multiple signature support is not implemented for this filetype.

    Based on your error, I tried to search a lot. Here I found a similar thread.

    sha1 / sha256 dual-signing for MSI

    Here is a reply from keeely

    I was just explaining that the error message, namely "Multiple signature support is not implemented for this filetype" is returned from filetypes that can definitely be dual-signed, i.e. PE files, in some circumstances.  It folllows that the same may occur for MSI files as well, although since I wrote that I also tried MSI files and failed to dual-sign them, perhaps making my post less useful!

    This thread: https://github.com/mumble-voip/mumble/issues/1308 suggests that there is a way of doing this, although in my case I don't want to use non-Microsoft tools.

    Hope this helps.

    Have a nice day!

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by Kristin Xie Tuesday, December 22, 2015 3:13 AM
    • Marked as answer by DotNet Wang Friday, December 25, 2015 3:02 AM
    Wednesday, December 16, 2015 2:05 AM
  • Thank, i found the same article and now this one from microsoft:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

    Msi files cannot be signed with SHA256

    And ps1 can be signed with SHA256 with powershell script, so i have to dismiss signtool :(

    Thank you Kristin

    • Proposed as answer by Kristin Xie Tuesday, December 22, 2015 3:13 AM
    • Marked as answer by DotNet Wang Friday, December 25, 2015 3:02 AM
    Friday, December 18, 2015 3:46 PM
  • Hi Michela,

    Thanks for sharing your what you found. It could be better for someone who has the same issue.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, December 22, 2015 3:14 AM