Signtool can't do SHA256 signing on Windows 7

I finally found a solution for double-signing files in Windows 7.

The trick is to use the Window 8 SDK (not 8.1 or 10)! I used this download: https://developer.microsoft.com/windows/downloads/windows-8-sdk

In Windows 7 x64 make sure to point to the x64 binary (...\8.0\bin\x64\signtool.exe)

As a bonus here's a comfortable batch script I made. Simply save it as doublesign.bat and drag a file you want to be signed on that bat-file.

@ECHO OFF

set signtool="C:\path to signtool\signtool.exe"
set certfile="C:\path to certificate\cert.p12"
set certpass="Password"
set company="Optional"

echo Signing with SHA-1
%signtool% sign /f %certfile% /p %certpass% /t http://timestamp.comodoca.com/authenticode %1
timeout /T 3
echo. & echo Signing with SHA-256
%signtool% sign /f %certfile% /p %certpass% /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 %1

@PAUSE

The issue is actually way simpler.

The problem is with the time stamp server.

Instead of using signtool.exe with this

/t http://timestamp.comodoca.com

You need to use it like this for SHA1

/tr http://timestamp.comodoca.com /td sha1

And for SHA256

/tr http://timestamp.comodoca.com/?td=sha256 /td sha256

Signtool can't do SHA256 signing on Windows 7

Tags:

Code Signing

Windows 7

Digital Signature

Related

Recent Posts