Due to the fact that Windows is changing its security policies, we plan to start working with driver files for signing code using the SHA-256 algorithm instead of SHA-1. However, we still want to support older OSes that still require SHA-1 signing.
Using Microsoft signtool.exe, we can successfully encode icon files using the SHA-1 and SHA-256 digest algorithms using the / fd flag. However, if possible, we would like to sign a file with both algorithms at the same time. Is it possible? We would like to avoid having several sets of drivers that were signed with various algorithms, and determining which set to install based on the OS - this will be our alternative approach.
If anyone has had experience with this, please explain what approach you took. If this is not possible, explain why this is not possible. Thank!
source
share