Add ability to sign with additional certificates

The only difference when using the /ac flag with signtool is that the dummy cert doesn’t appear in the digital signature list on the file properties (I’m not sure why that’s the case?)

Because the dummy certificate isn’t used for signing, it’s simply appended to the certificate store embedded within the signature. This store is used by Windows to link the signing certificate with the CA certificate (this is necessary if some of the intermediate certificates are unknown to Windows). The dummy certificate doesn’t participate in the certificate chain and is invisible in the file properties. The signature is simply larger.

The addUnauthenticatedBlob feature is slightly different, it adds an entry into the unauthenticated attributes table of the signature. That’s more compact that injecting a whole certificate, but it’s visible in the file properties

Should this be closed, or changed to be the issue for adding the functionality of addUnauthenticatedBlob?

No I’m still pondering if /ac is worth implementing, I’m just looking for a good use case. I’m tempted to extend the semantic of the certfile parameter and simply add all the certificates in this file even if they do not participate in the certificate chain.

@MrAlex94 Thank you for the clarification. osslsigncode supports the -addUnauthenticatedBlob parameter to inject bytes into the signature that can be altered without invalidating it. That’s a simpler alternative than fiddling with the additional certificates. This is a feature I’d like to implement in Jsign as well.