signtool failing to dual sign SHA2 and SHA1 with timestamps

I know it's a bit old, but I landed in this thread and maybe someone else will too.

It will work if you sign first with SHA1 and then with SHA256:

signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_passwordsigntool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password 

It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.

I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.

The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.

Updated 29/12/15:

The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:

signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

Updated 30/12/2015

To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:

signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"

The issue is actually way simpler.

The problem is with the time stamp server.

Instead of using signtool.exe with this

/t http://timestamp.comodoca.com 

You need to use it like this for SHA1

/tr http://timestamp.comodoca.com /td sha1

And for SHA256

/tr http://timestamp.comodoca.com/?td=sha256 /td sha256