windowssha256signtoolauthenticode

How to setup signtool with SHA256 on Windows 7?


I have been using SHA1 signing for many years, but from 2016, Windows is forcing developers to use SHA256.

Windows Enforcement of Authenticode Code Signing and Timestamping

By using Windows 7 SDK signtool the functions to sign SHA-256 is "unknown commands", so this signtool is obsolete as a signtool and shouldn't be used any more.

To sign with SHA256 I downloaded the Windows 8.1 SDK to get signtool.exe which got the new functions(/fd and a few others). The BAT file and signtool works on Windows 8 and 10, so I know it works, but crashes on Windows 7 when it tries to timestamp the file.

enter image description here

I use a bat file to sign files, which looks like this(I edited the BAT file so it doesn't show variables, full paths, company name and passwords):

Path\signtool.exe sign /f "Path\Certificate.p12" /fd sha256 /p *password* /du "URL" /tr "timestampServer?td=sha256" /td sha256 /d "Product name" "Filename"

I guess, I don't have the proper SDK to support some of the functions, but I can't find any info on the internet on how to setup this on a Windows 7. I tried to install MS Visual C++ 2015 Redistributable (x64) on my machine without solving the problem.


Solution

  • Seems I'm no good at reading. I'm answering my own question as others could find it hard to find, just like I did.

    Windows doesn't support the signtool.exe on Windows 7 any more, so that is why old/obsolete functions like SHA-1 signing is still working, but SHA-256 time stamping is a problem. I found this on MSDN:

    Quote from MSDN: Note You can only use SignTool to sign your Windows Store app packages on Windows 8 and later or Windows Server 2012 and later. You can't use SignTool to sign app packages on down level operating systems such as Windows 7 or Windows Server 2008 R2.

    If you want to read the whole thing then look here:

    How to sign an app package using SignTool