Dual signing with osslsigncode10 Feb 2016
The recent deprecation of the use of SHA1 derived digital certificates for Windows 7 and later has meant that software developers need to begin signing their software using one of the SHA2 algorithms (e.g. SHA256).
The trouble is that older versions of Windows don't support SHA2. The workaround is
to dual sign, but it's not immediately clear how to do this with
Here's how I worked it out!
If a piece of software was signed before 1 January, 2016 with SHA1 then that will continue working on Windows 7 until 1 January 2017. Software signed since will show ugly errors on Windows 7. To fix this, you need to sign with a SHA2 digest algorithm.
Not so fast! It turns out Windows XP and Vista don't support SHA2. So if I want the installer to work on those platforms, I need to do something called dual signing where two signatures are applied to the same file. Specifically, XP and Vista require a SHA1 signature.
It wasn't immediately clear how to do this with
osslsigncode. I use
osslsigncode to allow me to build the bliss Windows installer on Linux, together
with all other versions. This means I have a one-click build and makes life much easier at
each release. So I didn't want to stop using
This answer on StackOverflow pointed
me to the answer: the
-nest parameter. I was on an old version of
so after upgrading to 1.7.1 I was able to use this.
To dual sign with
osslsigncode simply run the command twice, following these rules:
- Specify different
- The second execution should include the
- The SHA1 signature should be applied first
That last one was the biggest gotcha for me. I was trying with SHA2 first, but Windows XP seemingly ignored the latter SHA1 signature. Changing the order, so SHA1 is signed before SHA2 fixed it.
Here's how the
osslsigncode calls look:
osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -h sha1 [... key files etc]
osslsigncode -n "bliss installer" -i "https://www.blisshq.com" -nest -h sha2 [... key files etc]
In Windows 10, which supports multiple signatures, here's how the Digital Signatures box appears:
Thanks to dvanzuijlekom for the image above.