2018年3月6日 星期二

Dual Signing with SHA256 and SHA1 Standard Code Signing Certificates

Authenticode Dual Code Signing Instructions

In some instances, you may need to sign an application with two different signatures (hashing algorithms). For example, you may want to build an application that runs on Windows 7 and Windows. Windows 8 supports SHA256 Code Signing Certificates (SHA-2 hashing algorithm); whereas, Windows 7 may only support SHA-1 Code Signing Certificates (SHA-1 hashing algorithm). See Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.
In this situation, you can first sign the application with a primary signature using a SHA256 Code Signing Certificate. Then you can append a secondary signature using a SHA1 Code Signing Certificate.
For EV Code Signing Certificate, dual signing instructions, see Dual Signing with SHA256 and SHA1 EV Code Signing Certificates.

Dual Signing Process for Code Signing Certificates

The dual code signing process with SHA256 and SHA1 signatures consists of four main steps. You may need to complete all four or just one or two.
 

Getting Your SHA256 and SHA1 Code Signing Certificates

These instructions assume that you have already purchased your Code Signing Certificate and have installed it on your device (e.g., laptop).
By default, DigiCert Code Signing Certificates are SHA256. If you are a DigiCert customer, getting a SHA1 version of your Code Signing Certificate is fairly easy. You just need to re-key your certificate from in your online account.
Note for Sun Java Platform Only: Create your Certificate Signing Request (CSR) before following the steps in this section. Sun Java is the only platform for which you are required to submit a CSR.

How to Get a SHA1 Version of Your Code Signing Certificate (Re-key)

  1. In your DigiCert account, select the My Orders tab, and then click the Order # for your Code Signing Certificate.
  2. On the Manager Your Code Signing – Order # page, under Reissue Actions, click the Re-Key Your Certificate link..
  3. On the Reissue/Re-Key page the following:
    1. (Sun Java Platform only) Paste your CSR (Optional)
      In the box, do one of the following:
      1. Upload your CSR
        Click the Click to upload a CSR link to browse for, select, and open your CSR file.
      2. Paste your CSR
        Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.
    2. Select Your Server Platform
      In the list of server platforms, select the platform for which your Code Signing Certificate is to be used.
    3. Reason for Reissue/Re-Key (Optional)
      In the box, specify the reason for the certificate reissue.
    4. Advanced Options
      Click +Advanced Options and then uncheck the Use a SHA-2 signature hash algorithm box.
    5. When you are finished, click Continue to Next Step.
  4. On the Reissue – Order # page, click Submit Request.
  5. The certificate requestor of the reissued code signing certificate is sent an email with the subject line: Reissue Your DigiCert Code Signing Certificate (Order #).
  6. The email contains a link that lets you reissue and install your Code Signing Certificate: Installing Your Code Signing Certificate.
 

Verifying Your SHA1 and SHA256 Code Signing Certificates

Once you've installed both versions of the Code Signing Certificate on your device (e.g., laptop), you need to determine which certificate is the SHA256 and which is the SHA1. We recommend using our DigiCert® Certificate Utility for Windows to make the verification process easier.

How to Verify the SHA1 and SHA2 Versions of Your Code Signing Certificates

  1. On your Windows workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
  2. Run the DigiCert Certificate Utility.
    Double-click DigiCertUtil.
  3. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), select the Code Signing Certificate whose signature hash you want to verify, and then, click View Certificate.
  4. In the Certificate window, select the Details tab and search for the Signature hash algorithm to identify if the certificate is using a sha256 or sha1 signature hash.
  5. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), right-click on the Code Signing Certificate whose signature hash you just checked, and then click Edit friendly name.
    Note: Good friendly names can help you easily identify each version of the Code Signing Certificate at a glance.
  6. In the Friendly Name box, enter a unique friendly name for that certificate to help you distinguish it from the other version of the Code Signing Certificate (e.g., yourCompany-SHA256 or yourCompany-SHA1).
  7. When you are finished, click Save.
  8. Repeat steps 3 through 7 to identify the second version of your Code Signing Certificate.
 

Building the Signing Commands and Signing Your Files

Once both Code Signing Certificates have been identified (SHA256 and SHA1 versions), you need to build the command that you will use to sign your files with both signature hashes (SHA256 and SHA1).
Note: Make sure to use the latest version of SignTool (6.3 or later) to avoid errors. To get SignTool version 10.0, install Windows 10 SDK onto your computer.

How to Get Your Code Signing Certificates' Thumbprints

First you need to get the thumbprint from each version of your Code Signing Certificate (SHA256 and SHA1).
  1. Open up a text editor (e.g., Notepad).
  2. Run the DigiCert® Certificate Utility for Windows.
    Double-click DigiCertUtil.
  3. In DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), and right-click on your SHA256 Code Signing Certificate, and then, click Copy thumbprint to clipboard.
  4. After you receive the message that the thumbprint has been copied to the clipboard, paste the thumbprint for your SHA256 Code Signing Certificate in the text editor.
  5. Repeat the above steps 2 through 4 to get the thumbprint for the SHA1 Code Signing Certificate.
    Important: Make sure to note which thumbprint is the SHA256 and which one is the SHA1.

How to Build the Signing Commands and Sign Your Files

For all SignTool command line options, refer to the Microsoft SignTool documentation. When using the SHA2 timestamp or /fd sha256, make sure to use the latest versions of SignTool (6.3 or later).
Note: In step 2 below, replace XXSHA1CERTTHUMBPRINTXX with the thumbprint from the SHA1 version of your Code Signing Certificate that is in your text editor. Then, replace XXSHA256CERTTHUMBPRINTXX with the thumbprint from the SHA2 version of your Code Signing Certificate that is in your text editor.
  1. Open the Command Prompt as an admin.
    1. On the Windows Start screen/menu, type cmd.
    2. Right-click on Command Prompt and then click Run as administrator.
  2. In the Command Prompt, run the following commands to apply the SHA1 signature and append the SHA256 signature:
    • signtool sign /t http://timestamp.digicert.com /sha1 XXSHA1CERTTHUMBPRINTXX yourfile.exe
    • signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 XXSHA256CERTTHUMBPRINTXX yourfile.exe
 

How to Verify the Digital Signatures

  1. Right-click on the application and then click Properties.
  2. Select the Digital Signatures tab to view the signing certificates and timestamps.

from : https://www.digicert.com/code-signing/code-signing-dual-signing-sha256-sha1.htm

沒有留言:

張貼留言