10

Due to Windows changing their security policies, we are planning to begin code-signing driver files with the SHA-256 algorithm instead of SHA-1. However, we still want to be able to support older OS's that still require SHA-1 signing.

Using Microsoft's signtool.exe we are able to code sign files successfully with both SHA-1 and SHA-256 digest algorithms using the /fd flag. However, if possible, we would like to sign the file with both algorithms simultaneously. Is this even possible? We would like to avoid having multiple sets of drivers that are signed with different algorithms and determining which set to install based on OS -- which would be our alternative approach.

If anyone has had experience with accomplishing this please explain what approach you took. If this isn't possible, an explanation of why it's impossible would be appreciated.

CJBS
  • 15,147
  • 6
  • 86
  • 135
ksun
  • 1,369
  • 2
  • 13
  • 21
  • 1
    I believe that is what they do in this tutorial: http://pixcl.com/Signing-Windows-8-Drivers.htm Keep in mind that if you have a kernel-mode driver, the requirements are totally changing in Windows 10 and you will need to get it signed by Microsoft ([reference](http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx)). – David Grayson Jun 05 '15 at 23:55
  • 2
    I have also heard from another developer that the way to go is to just sign it with SHA-1 only, but use a SHA-2 certificate. Your signature will still be valid in the latest versions of Windows. I haven't tried this stuff myself yet, but my article might be helpful to you: http://www.davidegrayson.com/signing/ – David Grayson Jun 05 '15 at 23:59
  • Thanks for the info David. That would be fantastic if driver signing works on Windows 10 when signing using SHA-1 with a SHA-2 certificate. Also, thanks for the heads up about the upcoming requirement of getting drivers signed by Microsoft through their developer portal. That seems like it could be a huge pain. Hopefully we can find a way of automating that process. It's good to be aware of though. Thanks. – ksun Jun 08 '15 at 14:56
  • The portal does have an API. – David Grayson Jun 08 '15 at 15:12
  • 1
    You can check [Is it possible to dual-sign installer and uninstaller with sha1 and sha256 certificates?](http://stackoverflow.com/questions/32082347/is-it-possible-to-dual-sign-installer-and-uninstaller-with-sha1-and-sha256-certi/32089910#32089910) – RobeN Dec 02 '15 at 11:12
  • related: keep dual-signing SHA1 for Windows 7 things as it is only being forced onto SHA2 in July 2019: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus – CAD bloke Aug 28 '19 at 23:21

1 Answers1

8

You can append the second certifcate to the EXE/DLL/SYS by calling signtool sign /as [signing cert parameters] [name of file]

Matthew
  • 771
  • 6
  • 15