diff --git a/tools/build.bat b/tools/build.bat
index 9e5ebad7..a78b9cb5 100755
--- a/tools/build.bat
+++ b/tools/build.bat
@@ -78,9 +78,7 @@ if X%SignedPackage%==X (
         launchctl-a64.exe launchctl-x64.exe launchctl-x86.exe^
         fsptool-a64.exe fsptool-x64.exe fsptool-x86.exe^
         memfs-a64.exe memfs-x64.exe memfs-x86.exe memfs-dotnet-msil.exe
-    signtool sign /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha1 /t http://timestamp.digicert.com !signfiles!
-    if errorlevel 1 set /a signfail=signfail+1
-    signtool sign /as /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha256 /tr http://timestamp.digicert.com /td sha256 !signfiles!
+    signtool sign /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha256 /tr http://timestamp.digicert.com /td sha256 !signfiles!
     if errorlevel 1 set /a signfail=signfail+1
     popd
 
@@ -116,10 +114,8 @@ devenv winfsp.sln /build "Installer.%Configuration%|x86"
 if errorlevel 1 goto fail
 
 for %%f in (build\%Configuration%\%MyProductFileName%-*.msi) do (
-    signtool sign /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha1 /t http://timestamp.digicert.com /d %MsiName% %%f
+    signtool sign /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha256 /tr http://timestamp.digicert.com /td sha256 /d %MsiName% %%f
     if errorlevel 1 set /a signfail=signfail+1
-    REM signtool sign /ac %CrossCert% /i %Issuer% /n %Subject% /fd sha256 /tr http://timestamp.digicert.com /td sha256 /d %MsiName% %%f
-    REM if errorlevel 1 set /a signfail=signfail+1
 )
 
 if not %signfail%==0 echo SIGNING FAILED! The product has been successfully built, but not signed.