Signtool can't do SHA256 signing on Windows 7
Sebastian Wright 
I have been using SHA1 signing for many years, but from 2016, Windows is forcing developers to use SHA256.
Windows Enforcement of Authenticode Code Signing and Timestamping
By using Windows 7 SDK signtool the functions to sign SHA-256 is "unknown commands", so this signtool is obsolete as a signtool and shouldn't be used any more.
To sign with SHA256 I downloaded the Windows 8.1 SDK to get signtool.exe which got the new functions(/fd and others). The BAT file and signtool works on Windows 8 and 10, so I know it works, but crashes on Windows 7 when it tries to timestamp the file.
I use a bat file to sign files, which looks like this(I edited the BAT file so it doesn't show variables, full paths, company name and passwords):
Path\signtool.exe sign /f "Path\Certificate.p12" /fd sha256 /p *password* /du "URL" /tr "timestampServer?td=sha256" /td sha256 /d "Product name" "Filename"I guess, I don't have the proper SDK to support some of the functions, but I can't find any info on the internet on how to setup this on Windows 7. I tried to install MS Visual C++ 2015 Redistributable (x64), but still didn't solve the problem.
4 Answers
I finally found a solution for double-signing files in Windows 7.
The trick is to use the Window 8 SDK (not 8.1 or 10)! I used this download:
In Windows 7 x64 make sure to point to the x64 binary (...\8.0\bin\x64\signtool.exe)
As a bonus here's a comfortable batch script I made. Simply save it as doublesign.bat and drag a file you want to be signed on that bat-file.
@ECHO OFF
set signtool="C:\path to signtool\signtool.exe"
set certfile="C:\path to certificate\cert.p12"
set certpass="Password"
set company="Optional"
echo Signing with SHA-1
%signtool% sign /f %certfile% /p %certpass% /t %1
timeout /T 3
echo. & echo Signing with SHA-256
%signtool% sign /f %certfile% /p %certpass% /as /fd sha256 /tr /td sha256 %1
@PAUSEThe issue is actually way simpler.
The problem is with the time stamp server.
Instead of using signtool.exe with this
/t You need to use it like this for SHA1
/tr /td sha1And for SHA256
/tr /td sha256Seems I'm no good at reading, also I'm answering my own question as others could find it hard to find, just like me.
Windows doesn't support the signtool.exe on Windows 7 any more, so that is why old/obsolete functions like SHA-1 signing is still working, but SHA-256 time stamping is a problem. I found this on MSDN:
Quote from MSDN: Note You can only use SignTool to sign your Windows Store app packages on Windows 8 and later or Windows Server 2012 and later. You can't use SignTool to sign app packages on down level operating systems such as Windows 7 or Windows Server 2008 R2.
If you want to read the whole thing then look here:
How to sign an app package using SignTool
5Quoting my answer from here:
If someone happens to run into the same issue as the solution is really stupid.
3I had the same issue, and that signtool from SDK 8.1 (6.3.9600.17298) seems to be VERY particular about the order of command line options !
If I used
signtool sign /v /f my.pfx /p 1234 /fd sha256 /as test.exeDual-signing failed with this error:
"Multiple signature support is not implemented for this filetype"which is actually the same error as the one from W10 SDK since-2147024846/0x80070032translates to (HRESULT)ERROR_NOT_SUPPORTEDBUT, if I used
signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exeit worked !See what I did there? I just swapped the order of /as and /fd sha256 !
I mean this this stuff is just nightmare fuel when you are working on something important and then when it's time for production it just doesn't work for seemingly no reason. Luckily that was not the case this time as I was just testing but I thought I was going mad since I first got it to work once, but not again.
To be clear, this is the exact order how I could dual-sign files with SHA1 and SHA256, using the signtool.exe from Windows 8.1 SDK, available here (The one from W10 SDK still does not work, and the one from V7.1 SDK does not support multiple signatures at all)
- Sign with SHA1:
signtool sign /v /f my.pfx /p 1234 test.exe- Sign with SHA256:
signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exe
