How do you sign with SHA256?

massoud_navab · April 3, 2012, 2:34pm

All the cross-certs available for download from MS seem to support sha1 only.
The only way I know to tell what is supported by the certificate is to look at the details tab
in the certmgr. All the ones I have seen, only indicate sha1 support.

Is it true that the certificate needs to indicate sha256 support for it work?
signtool has the following options that are related to sha algorithm.

/sha1 Specify the SHA1 thumbprint of the signing cert.
/fd Specifies the file digest algorithm to use for creating file
signatures. (Default is SHA1)

Is the syntax of the signtool /fd:sha256?

thanks,
m navab

Doron_Holan · April 3, 2012, 2:53pm

Is related to specific architecture type? if yes, please ask your eco PM for guidance.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, April 03, 2012 11:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How do you sign with SHA256?

All the cross-certs available for download from MS seem to support sha1 only.
The only way I know to tell what is supported by the certificate is to look at the details tab in the certmgr. All the ones I have seen, only indicate sha1 support.

Is it true that the certificate needs to indicate sha256 support for it work?
signtool has the following options that are related to sha algorithm.

/sha1 Specify the SHA1 thumbprint of the signing cert.
/fd Specifies the file digest algorithm to use for creating file
signatures. (Default is SHA1)

Is the syntax of the signtool /fd:sha256?

thanks,
m navab

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 4, 2012, 10:34am

On 4/3/2012 8:34 PM, xxxxx@yahoo.com wrote:

All the cross-certs available for download from MS seem to support sha1 only.

Sorry, but this is an incorrect statement.

A certificate or cross-certificate can (and does not) “support” sha1.

SHA1 was used to generate the thumbprint (data checksum) that is then
encrypted with the private key of the signer.

Please look up what “signing” and “certificate” actually means. Many
people have only half-knowledge about it, but it is important to
understand these concepts thoroughly.

signtool has the following options that are related to sha algorithm.

/sha1 Specify the SHA1 thumbprint of the signing cert.
This means you can select a specific certificate by specifying the SHA1
thumbprint, instead of e.g. the “Organizational Name”.

This is useful if you have two certificates issued by the same entity
[e.g. with different expiration dates] who have the same name properties
set to the same values and differ only in SHA1 checksum.

> /fd Specifies the file digest algorithm to use for creating file
> signatures. (Default is SHA1)
This tells signtool to use the specified digest algorithm for the
signature process.

Signing means essentially “encrypt a hash value with a private key” (so
that the resulting “signature” can be verified by anyone using the
public key of the signer). /fd sets the algorithm to compute this hash
value (aka file digest value).

OSR_Community_User · April 4, 2012, 3:02pm

>

Is the syntax of the signtool /fd:sha256?

If you haven’t figured it out already, the syntax is ‘/fd sha256’. Space,
no colon.

t.

thanks,
m navab

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer