Dual signing with osslsigncode

10 Feb 2016

The recent deprecation of the use of SHA1 derived digital certificates for Windows 7 and later has meant that software developers need to begin signing their software using one of the SHA2 algorithms (e.g. SHA256).

The trouble is that older versions of Windows don't support SHA2. The workaround is to dual sign, but it's not immediately clear how to do this with osslsigncode. Here's how I worked it out!

If a piece of software was signed before 1 January, 2016 with SHA1 then that will continue working on Windows 7 until 1 January 2017. Software signed since will show ugly errors on Windows 7. To fix this, you need to sign with a SHA2 digest algorithm.

Doing that for bliss was easy enough - contact our friendly certificate provider at K Software and request a new certificate, then plug these into the build process. Start Windows 7 and it all works!

Not so fast! It turns out Windows XP and Vista don't support SHA2. So if I want the installer to work on those platforms, I need to do something called dual signing where two signatures are applied to the same file. Specifically, XP and Vista require a SHA1 signature.

It wasn't immediately clear how to do this with osslsigncode. I use osslsigncode to allow me to build the bliss Windows installer on Linux, together with all other versions. This means I have a one-click build and makes life much easier at each release. So I didn't want to stop using osslsigncode.

This answer on StackOverflow pointed me to the answer: the -nest parameter. I was on an old version of osslsigncode, so after upgrading to 1.7.1 I was able to use this.

To dual sign with osslsigncode simply run the command twice, following these rules:

  • Specify different -h parameters, for sha1 and sha2
  • The second execution should include the -nest option
  • The SHA1 signature should be applied first

That last one was the biggest gotcha for me. I was trying with SHA2 first, but Windows XP seemingly ignored the latter SHA1 signature. Changing the order, so SHA1 is signed before SHA2 fixed it.

Here's how the osslsigncode calls look:

osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -h sha1 [... key files etc]
osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -nest -h sha2 [... key files etc]

In Windows 10, which supports multiple signatures, here's how the Digital Signatures box appears:

The Digital Signatures tab


Thanks to dvanzuijlekom for the image above.
blog comments powered by Disqus