none
sha1 / sha256 dual-signing for MSI RRS feed

  • Question

  • We're in the process of releasing an application that should be "as compatible as possible" with Authenticode for all supported versions of Windows Server. At this time, Windows Server 2003 SP2 is still within its lifecycle, so we would like to support that. But we also validate for Windows Server 2012 R2.

    Our executables are "dual-signed", i.e. they contain an SHA-1 digest signature with a certificate chain that only contains sha1RSA signatures + an Authenticode timestamp. They are additionally signed using a SHA-256 digest with a certificate chain that exclusively uses sha256RSA signatures + a RFC 3161 timestamp. This is actually the same way as e.g. msvcr120.dll is signed. The result is perfect: older OSs recognise and accept the first (sha1) signature, newer OSs see the second signature and are happy with sha256.

    However, signtool refuses to add a second signature when signing our MSI installer database. It claims "SignTool Error: Multiple signature support is not implemented for this filetype." Is that really true? Are we supposed to hand out 2 (otherwise identical) MSI files to customers, one using sha1 and one using sha256 signatures?

    Regards, Frans

    Wednesday, August 20, 2014 7:25 AM

All replies

  • Same problem here.

    Somebody at Microsoft care to make sure that the dual SHA-1+SHA-256 signing of all signable file types (.cab, .cat, .ctl, .dll, .exe, .msi, .ocx, etc.) is covered properly in tools, documentation and updates (if needed)?

    Sunday, December 7, 2014 3:19 AM
  • The functionality for dual-signing appears to be a mix of operating system and SDK functionality.  It seems you need windows 8.0 or later to dual sign, or more specifically a fully working SignerSignEx2.

    I suspect that moving your build to a later OS may well make this work, as I got this trying to dual-sign a PE file on Windows 7, even though I had copied signtool.exe, mssign32.dll and Microsoft.Windows.Build.Signing.mssign32.dll.manifest from the Windows 8.1 SDK across to my windows 7 machine.  Dual signing worked fine on Windows 10.




    • Edited by keeely Monday, March 2, 2015 1:24 PM
    Monday, March 2, 2015 1:19 PM
  • Just to clarify: does your solution allow to specifically dual-sign .msi files? (This thread was about the challenges encountered in dual-signing .msi files, not .exe files, which worked fine.)

    Thanks!

    Monday, March 2, 2015 6:00 PM
  • I wasn't offering a solution.  I was just explaining that the error message, namely "Multiple signature support is not implemented for this filetype" is returned from filetypes that can definitely be dual-signed, i.e. PE files, in some circumstances.  It folllows that the same may occur for MSI files as well, although since I wrote that I also tried MSI files and failed to dual-sign them, perhaps making my post less useful!

    This thread: https://github.com/mumble-voip/mumble/issues/1308 suggests that there is a way of doing this, although in my case I don't want to use non-Microsoft tools.


    • Edited by keeely Tuesday, March 3, 2015 10:08 AM
    Tuesday, March 3, 2015 9:40 AM
  • You can dual sign your MSIs using the 'osslsigncode' based on OpenSSL.
    Thursday, December 17, 2015 10:48 AM
  •  i found the same article and now this one from microsoft:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

    Msi files cannot be signed with SHA256


    Friday, December 18, 2015 3:45 PM
  • Msi files cannot be signed with SHA256

    That's not what the article says though. It confirms that you cannot dual-sign an MSI, and for this reason only it suggests to use SHA-1 signing and datestamping, with a SHA-2 certificate, for maximum compatibility with legacy systems. However, by personal experience I know that you can single-sign (either SHA-1 or SHA-2, i.e. SHA256 works fine) an MSI file with Microsoft tools, and it will verify fine on operating systems that can handle the certificates and datestamp mechanisms used.
    Tuesday, July 26, 2016 1:52 PM
  • There are alternatives to signtool that support dual signing of MSI files, such as Jsign (https://ebourg.github.io/jsign/) or osslsigncode.
    Wednesday, December 11, 2019 1:47 PM