Question concerning a failure I'm having when attempting to dual sign with SHA1/SHA256.
I've had a SHA256 code signing certificate for a few years now, but before the new year (2016), I started using /fd SHA256 for the hashing algorithm to be compliant with Microsoft's deprecation of SHA1.
This worked fine, but of course the signature hash doesn't validate on older OS's. I don't care about XP, but I still sort of care about Vista.
I first sign for SHA1 using the following:
signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"
Then I try for my dual signature:
signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"
And signtool gives me this:
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
Now I can successfully sign a file with a single algorithm (Either SHA1 OR SHA256), but I can't add the second signature. My only guess is that because I'm using the SAME certificate for both algorithms it doesn't like that. Do I need to have a different physical certificate for each algorithm?
Just wondering because before the new year, I had been using a SHA256 certificate for years with a SHA1 algorithm and it validated fine on all Operating Systems.
