How does one correctly dual-sign code with a timestamp?

Question

I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. I tried to append the SHA-256 certificate, but this fails:

:: Signs with the SHA-1 certificate
signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
:: Signs with the SHA-2 certificate
signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe

This fails with the error:

Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
        The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: my_app_here.exe

If I remove the timestamp URL from the second command, the signing completes successfully, but the SHA-2 signature has no timestamp. (Whether or not I put a timestamp on the first signature has no effect)

The intent here is to allow someone to verify the app with the stronger certificate if they are on an operating system that supports this, but to avoid failing validation on operating systems that don't support the stronger certificates (Vista, XP).

Is this kind of thing even possible?

Answer 1

SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.

The RFC 3161 URL for Symantec/Verisign is:

http://sha256timestamp.ws.symantec.com/sha256/timestamp

If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.

Source:

https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820