Dual signing with osslsigncode
10 Feb 2016The recent deprecation of the use of SHA1 derived digital certificates for Windows 7 and later has meant that software developers need to begin signing their software using one of the SHA2 algorithms (e.g. SHA256).
The trouble is that older versions of Windows don't support SHA2. The workaround is
to dual sign, but it's not immediately clear how to do this with osslsigncode
.
Here's how I worked it out!
Doing that for bliss was easy enough - contact our friendly certificate provider at K Software and request a new certificate, then plug these into the build process. Start Windows 7 and it all works!
Not so fast! It turns out Windows XP and Vista don't support SHA2. So if I want the installer to work on those platforms, I need to do something called dual signing where two signatures are applied to the same file. Specifically, XP and Vista require a SHA1 signature.
It wasn't immediately clear how to do this with osslsigncode
. I use
osslsigncode
to allow me to build the bliss Windows installer on Linux, together
with all other versions. This means I have a one-click build and makes life much easier at
each release. So I didn't want to stop using osslsigncode
.
This answer on StackOverflow pointed
me to the answer: the -nest
parameter. I was on an old version of osslsigncode
,
so after upgrading to 1.7.1 I was able to use this.
To dual sign with osslsigncode
simply run the command twice, following these rules:
- Specify different
-h
parameters, forsha1
andsha2
- The second execution should include the
-nest
option - The SHA1 signature should be applied first
That last one was the biggest gotcha for me. I was trying with SHA2 first, but Windows XP seemingly ignored the latter SHA1 signature. Changing the order, so SHA1 is signed before SHA2 fixed it.
Here's how the osslsigncode
calls look:
osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -h sha1 [... key files etc]
osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -nest -h sha2 [... key files etc]
In Windows 10, which supports multiple signatures, here's how the Digital Signatures box appears:
HTH!
Thanks to dvanzuijlekom for the image above.