Using SignTool.exe to sign using SHA256 after Microsoft dropped support for SHA-1

Question

Since MS dropped SHA-1 support we now need to sign with SHA-2.

I sign all dlls, exe and msi. I changed my signtool.exe call to this:

signtool.exe /f "PathToPFX.pfx" /fd SHA256 /p "password" /d "product" /du "www.site.com" /tr "http://timestamp.geotrust.com/tsa"

I dont need dual signing because we dont support < vista. Im using the sign tool in the Windows 8.1 SDK

The sign tool gives no errors when i call it, and when i look at the certs they look to be updated correctly:

But i still get the corrupt msi error when downloading through IE.

Im guessing my cert needs renewing but im unsure how i can check if my pfx cert is using SHA1 or not. The cert was provided by VeriSign - Semantec are now support for this.

Justin Crowe · Accepted Answer · 2016-03-07T08:10:45.797

0

I talked to Semantec customer support and need to get the certificate re issued.

https://knowledge.symantec.com/support/ssl-certificates-support/index.html

Chat link at the top right. The new cert will be emailed to the technical contact on your companies account.

After the reissue, i was able to solve the issue

edited Mar 07 '16 at 08:10

answered Mar 03 '16 at 15:16

Justin Crowe

21
5

Using SignTool.exe to sign using SHA256 after Microsoft dropped support for SHA-1

1 Answers1