Can I safely sign a DLL file with a new certificate (using Microsoft's SignTool) if the DLL is already signed without recompiling it?
Everything looks kosher after I do this, but I want to be 100% sure.
A digital signature can be appended to a DLL, as long as the SignTool option which follows is used for signing:
/as
Appends this signature. If no primary signature is present, this signature is made the primary signature.
Multiple signing operations do not overwrite/replace the signature.
You might want to refer to Can I remove a digital signature from a DLL? for further reference.
Unsigntool allows to remove a signature from the PE section - I've never used it nor recommend the usage of this program so, use it at your own risk.
The difference - if any - between the files signed twice with or wihout the usage of the /as
parameter can be seen with some tools like PE Explorer / PE Viewer which allows to see the PE section of the executable or DLL.