diff --git a/hapsigntool_cpp/hap/config/include/signer_config.h b/hapsigntool_cpp/hap/config/include/signer_config.h
index d22712544ff253f1eeca55d453d0ac8e2f852505..b03cc654e0dd1030ef18e90c4ce91960a8dcf89f 100644
--- a/hapsigntool_cpp/hap/config/include/signer_config.h
+++ b/hapsigntool_cpp/hap/config/include/signer_config.h
@@ -14,7 +14,9 @@
  */
 #ifndef SIGNATRUETOOLS_SIGNER_CONFIG_H
 #define SIGNATRUETOOLS_SIGNER_CONFIG_H
+
 #include <map>
+#include <mutex>
 #include <vector>
 #include <string>
 #include <memory>
@@ -54,6 +56,7 @@ private:
     std::map<std::string, std::string> signParamMap;
     std::shared_ptr<Signer> signer;
     int compatibleVersion;
+    std::mutex signerMtx;
 };
 } // namespace SignatureTools
 } // namespace OHOS
diff --git a/hapsigntool_cpp/hap/config/src/signer_config.cpp b/hapsigntool_cpp/hap/config/src/signer_config.cpp
index b96f41fed183dc573bee9ac67439d3989a30faaf..9c60ec3461b387ea99d5ebc54a00da34bdc014bf 100644
--- a/hapsigntool_cpp/hap/config/src/signer_config.cpp
+++ b/hapsigntool_cpp/hap/config/src/signer_config.cpp
@@ -100,6 +100,7 @@ void SignerConfig::FillParameters(const std::map<std::string, std::string>& para
 
 std::shared_ptr<Signer> SignerConfig::GetSigner()
 {
+    std::lock_guard<std::mutex> lockGuard(signerMtx);
     if (signer == nullptr) {
         SignerFactory factory;
         LocalizationAdapter adapter(options);
diff --git a/hapsigntool_cpp/hap/provider/src/sign_provider.cpp b/hapsigntool_cpp/hap/provider/src/sign_provider.cpp
index 18c0593f947b4eda1a4302ab7662d07f05ae5c61..438d65445f992893fab743199d956c2f2edf4caf 100644
--- a/hapsigntool_cpp/hap/provider/src/sign_provider.cpp
+++ b/hapsigntool_cpp/hap/provider/src/sign_provider.cpp
@@ -25,6 +25,7 @@
 #include "nlohmann/json.hpp"
 #include "string_utils.h"
 #include "file_utils.h"
+#include "pkcs7_data.h"
 #include "sign_elf.h"
 #include "sign_bin.h"
 #include "params.h"
@@ -533,6 +534,11 @@ int SignProvider::GetCertListFromFile(const std::string& certsFile, STACK_OF(X50
             break;
         sk_X509_push(*ret, cert);
     }
+    if (PKCS7Data::SortX509Stack(*ret) != RET_OK) {
+        PrintErrorNumberMsg("CERTIFICATE_ERROR", CERTIFICATE_ERROR,
+            "Input certificate file do not include a valid certificate chains");
+        return CERTIFICATE_ERROR;
+    }
     BIO_free(certBio);
     return RET_OK;
 }