Microsoft has recently announced two major updates regarding their SHA-1 deprecation policy for Code Signing Certificates. The first pertains to an update for supporting SHA-2 Code Signing by Windows 7 and Windows Server 2008 R2 and the second update allows Certificate Authorities to continue issuing SHA-1 Code Signing Certificates after January 1st, 2016 to support platforms that don't support SHA-2 yet.
Microsoft announces updates to SHA-1 deprecation policy for Code Signing
A Windows update for Windows 7 and Windows Server 2008 R2 was re-instated to support SHA-2 Code Signing Certificates on March 10th, 2015. Microsoft previously released a similar update on October 14th, 2014, but after issues were detected the update was removed from the Microsoft Download Center. The new update enables Windows 7 and Windows Server 2008 R2 to verify SHA-2 Code Signing Certificates and accept SHA-2 Code Signed Drivers. Windows Vista, Windows Server 2008 and earlier platforms are outside the scope of this update and still cannot support SHA-2 Code Signed Kernel Drivers.
Continuance of SHA-1 Code Signing Certificates issuance
In order to provide Code Signed Drivers which can be verified and accepted by Windows Vista, Windows Server 2008 and earlier platforms, CAs are allowed to continue issuing SHA-1 Code Signing Certificates after January 1 st , 2016. However, SHA-1 Code Signing Certificates should be used for targeting at these earlier platforms only due to the fact that SHA-1 is no longer considered to be secure and is susceptible to attacks. Windows 7 and later platforms will stop accepting SHA-1 Code Signing Certificates after January 1 st , 2016. Software developers may need to use both SHA-1 and SHA-2 certificates depending on the target platforms.
Code Signed Kernel Driver Acceptance
Before |
On or after |
|||
SHA-1 |
SHA-2 |
SHA-1 |
SHA-2 |
|
Windows XP SP3 |
![]() |
X |
|
X |
Windows Vista |
![]() |
X |
|
X |
Windows 7 |
![]() |
![]() |
X |
![]() |
Windows 8 |
![]() |
![]() |
X |
![]() |
Windows Server 2008 |
![]() |
X |
|
X |
Windows Server 2008 R2 |
![]() |
![]() |
X |
![]() |
Windows Server 2012 |
![]() |
![]() |
X |
![]() |
How to handle SHA-1 Code Signed software generated before January 1st, 2016
Windows 7 and later platforms will stop accepting SHA-1 Code Signed software without timestamps on January 1 st , 2016. Software that includes a timestamp before January 1 st , 2016 will be accepted until January 14 th , 2020, when Windows Server 2008 extended support ends.
GlobalSign to provide SHA-1 Certificates with SHA-2 Certificates at no additional cost
In compliance with the SHA-1 deprecation policy update, GlobalSign will continue issuing SHA-1 Code Signing Certificates after January 1 st , 2016. During this period, GlobalSign will be offering a SHA-1 Code Signing Certificate free of charge with the purchase of a SHA-2 Code Signing Certificate. GlobalSign strongly recommends that all customers purchase and use SHA-2 Certificates wherever possible but hopes to aid those developers who use platforms not yet supported by SHA-2 Certificates.
To take advantage of this offer, please contact GlobalSign before purchasing a certificate. Learn more about Code Signing from GlobalSign!
References:
https://technet.microsoft.com/en-us/library/security/3033929.aspx
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx