Nested signing of PE Executable

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows

Apache License 2.0

151 stars 41 forks source link

Nested signing of PE Executable #1

Closed antoinedeschenes closed 6 years ago

antoinedeschenes commented 6 years ago

Hi,

Is it possible to sign PE Executables with both sha1 and sha256 digests? osslsigncode has a "-nest" option for this.

Thanks!

mtharp commented 6 years ago

I considered it but as far as I can tell, only un-patched versions of Windows 7 still require SHA-1 signatures so it didn't seem worth the complexity. Do you have a particular case that requires it?

antoinedeschenes commented 6 years ago

We'll publish an Electron app soon built with electron-builder using a custom signing script with relic as it is built around osslsigncode right now. It double-signs apps using sha1 and sha256, but I figured it can be configured to sign SHA-256 only. I'm not sure what OS version users will use, but since Electron is Chrome-based and doesn't support XP and Vista anymore, I guess we can close this case.