Due to Windows changing their security policies, we are planning to begin code-signing driver files with the SHA-256 algorithm instead of SHA-1. However, we still want to be able to support older OS's that still require SHA-1 signing.
Using Microsoft's signtool.exe
we are able to code sign files successfully with both SHA-1 and SHA-256 digest algorithms using the /fd flag. However, if possible, we would like to sign the file with both algorithms simultaneously. Is this even possible? We would like to avoid having multiple sets of drivers that are signed with different algorithms and determining which set to install based on OS -- which would be our alternative approach.
If anyone has had experience with accomplishing this please explain what approach you took. If this isn't possible, an explanation of why it's impossible would be appreciated.
You can append the second certifcate to the EXE/DLL/SYS by calling
signtool sign /as [signing cert parameters] [name of file]