Windows代码签名 添加SHA1/SHA256双签名

本文提供了有关如何使用一个微软Authenticode证书添加双重签名算法(SHA1和SHA256)。您可以对一个软件或应用程序文件添加两个不同的签名。例如,假设您希望您的软件在Windows 7和Windows 8上运行。Windows 7支持SHA256哈希算法签名,但需要更新补丁(见微软安全公告2949927),和Windows 8支持的SHA256哈希算法创建的签名。


SignTool.exe 签名工具参数:

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Selects the best signing certificate automatically. If this option is not present, SignTool expects to find only one valid signing certificate.
  • /as: Appends this signature. If no primary signature is present, this signature is made the primary signature.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate. Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /td: Used with the /tr switch to request a digest algorithm used by the RFC 3161 time stamp server.
    Note: The /td switch must be declared after the /tr switch, not before. If the /td switch is declared before the /tr switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm.
  • /tr: Specifies the URL of the RFC 3161 time stamp server. This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.

Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is
(The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is

The SHA-256 with RFC 3161 timestamping URL is
Step 1: Sign the Primary Signature with SHA1 Algorithm

The following syntax signs the file using SHA1 certificate stored in your Personal certificate store

With SHA-1 TimeStamp:

signtool.exe sign /a /s MY /n Common name /fd sha1 /t /v file to be signed

Step 2: Append the Secondary Signature with SHA256 Algorithm by using SHA2 certificate

Once the application file been signed with SHA1 algorithm in Step 1 , follow the steps below to append the secondary signature with SHA256 algorithm to the same application file.

The following syntax signs the file using SHA2 certificate stored in your Personal certificate store

With SHA-256 RFC 3161 TimeStamp:

signtool.exe sign /a /s MY /n “Common name” /fd sha256 /tr /td sha256 /as /v “<file to be signed>”

Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments “/f YourCertFileName.pfx /p pfxpassword” instead of “/a /s MY /n “Common namein the command.


Step 3: Verify the Signature

Browse to the signed application file under your windows 8 machine

  1. Right click on the signed application file
  2. click on Properties
  3. Click on Digital Signatures tab

You should see both SHA1 and SHA256 signature algorithm listed in this tab if the signing process is successful.

For additional information, refer to the following article from the Microsoft knowledge base: