Does the Authenticode action support multiple certificates?

FinalBuilder Discussion
1

I have been trying to sign my exe with two different certificates by just using two Authenticode actions after each other. However this does not seem to work.

What I want to do is apply both a sha1 and sha256 code signing certificate to my exe. As you might know Microsoft is in the process of deprecating sha1 on Windows 7 and above in favor of sha256. So now I need sha1 for XP/Vista and sha256 for Win7/8/10.

This can be done using the MS signtool. Symantec has a good description of how this is done here: https://knowledge.symantec.com/supp...d=INFO2274 .

But I would prefer to use the build in FB action. Is this currently possible? If not would you consider adding support for it, as I think it will soon become very relevant for others as well.

2

Hi Lars,

I looks like the following option is all that is required;

“/as: Appends this signature. If no primary signature is present, this signature is made the primary signature instead.”

I will look at adding that today.

3

Hi Jason,

Happy new year!

That sounds great. Thanks.

4

Hi Lars

The latest build now has /as support.

5

You guys rock! Excellent support as always :slight_smile:

6
Posted By Vincent Parrett on 04 Jan 2016 03:23 PM
Hi Lars

The latest build now has /as support.



Hi!

Thanks for supporting multiple signatures! Is this option configurable? I can't find any option. Appending a signature shouldn't be the default behaviour, as it breaks things. Replacing a signature should be the default.

Thanks,
Chris
7

Hi Chris

There is a new option on tbe Basic Options property page for the Signtool action, appending is not the default. See attached screenshot

__35940__0__signtool-appeand-sig.png
43c57171323f7e06870a1acfd3c2ccc8b2369912.png558×505 13.5 KB

8

Hi Vincent!

Thank you for your help - we’re using the Authenticode action in all of our projects, which seems not to be using any external tools for code signing.

Is there an easier way to install the signtool other than installing a >1GB SDK for a tool less than 1MB?

Regards,
Chris

9

Not that I am aware of. If you have Visual Studio installed then you already have the sdk installed. On my machine the sdk is installed under C:\Program Files\Microsoft SDKs\Windows\

The Authenticode action is deprecated, since it uses the capicom api which microsoft deprecated some time ago.

10
Posted By Vincent Parrett on 04 Jan 2016 03:23 PM

The latest build now has /as support.


Vincent,

Can the action do both SHA1 and SHA256 in the same action, or is it a matter of doing SHA1 and then SHA256 with /as enabled?

Thanks, Matthew
11

You need to do SHA1 and then SHA256 - I have a blog post about this almost ready to go, will try and get it finished today.