Question about the crash that I am experiencing when trying a double character with SHA1 / SHA256.
I had a SHA256 code signing certificate for several years, but before the new year (2016) I started using / fd SHA256 to make the hash algorithm match Microsoft's SHA1 deprecation.
This worked well, but of course the hash signature is not verified on older OSs. I don't care about XP, but I care about Vista anyway.
I am the first character for SHA1 using the following:
signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"
Then I try to do my double signature:
signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"
And signtool gives me this:
Done Adding Additional Store SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
Now I can successfully sign a file with one algorithm (or SHA1 OR SHA256), but I can not add a second signature. My only guess is that since I use a SAME certificate for both algorithms, I don't like this. Do I need to have a separate physical certificate for each algorithm?
Itβs just interesting, because before the new year I used the SHA256 certificate with the SHA1 algorithm for many years, and it has worked well in all operating systems.
source share