The SHA256 result is different from certutil and signtool.exe

rmao 5 Reputation points

I tried to use signtool.exe to sign a .js file.

The content of the .js file is very simple:


The SHA256 of the file using certutil is:

> certutil -hashfile test.js SHA256
SHA256 hash of test.js: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
CertUtil: -hashfile command completed successfully.

I can successfully sign and verify the file.

> signtool sign /debug /f myCert.pfx  /fd SHA256 test.js

The following certificates were considered:
    -- cert info hidden --- 

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    -- cert info hidden --- 

The following additional certificates will be attached:
Done Adding Additional Store
Successfully signed: test.js

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

> signtool verify /v /pa test.js

Verifying: test.js

Signature Index: 0 (Primary Signature)
Hash of file (sha256): E417D143E302D30B99AAF2810FCDC8CD5B0DF2802943C38A132F933EB2D2F3AA

Signing Certificate Chain:
    -- cert info hidden --- 

File is not timestamped.

Successfully verified: test.js

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

However, the two SHA256 hashes are different:

-----------SHA256 from certutil----------------------------
-----------SHA256 from signtool----------------------------

If I understand correctly, when signing the file, the signtool calculates the SHA256 digest of the original file and sign it with the certificate provided.

Could you please explain why these two hashes are different? And how could I calculate the hash produced by signtool using certutil or other windows tool?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,838 questions
0 comments No comments
{count} vote