The truth about SHA1, SHA-256, dual-signing, and Code Signing Certificates

Learn about SH1, SHA-256, SHA2, Dual-signing and Code Signing

With effect from 30th May 2020, SHA1 timestamping is deprecated because the SHA1 roots have got expired. So it is highly recommended to use only the SHA256 timestamp server from now onwards. Also, Microsoft has announced a SHA256 transition a few years ago. This means that all the Windows software developers must be compulsorily onboard as of Jan 1, 2016.

The Microsoft PKI Blog speaks it all. The blog discusses, in brief, the Windows and Windows Server that has discontinued putting trust on the new code signed with an SHA-1 code signing certificate for various scenarios such as files containing a digital signature. Also for those certificates that have been time-stamped with a value above than 1st January 2016. These restrictions will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or certificate’s signature hash until 1st January 2017. Post this time, all the codes with an SHA-1 time-stamp or SHA-1 signature hash shall be considered non-existent and without a time-stamp signature by the Windows.

So What is The Actual Truth? - Explained in detail

That any files signed with an SHA-1 certificate need to have a timestamp showing date and time before Jan 1, 2016, to continue to be supported. Those files will still be allowed through the 'Mark-of-the-web" system until Jan 14, 2020, when all SHA-1 support will stop in all current versions of Windows. Any new signatures created or timestamped after Jan 1, 2016, must be SHA-256 based signatures or they will cause a "digital signature is corrupted or invalid" error when downloading.

What are the versions of Windows Support SHA-256 signatures?

SHA-256 signatures are not supported in Windows XP SP2 or earlier. SHA-256 is only supported in User Mode for Windows XP SP 3, Vista, and Windows Server 2008R1 -- SHA-256 certificates are not supported for drivers on any version before Windows 7.

In order to support Windows XP SP3 and Windows Vista you need to dual sign and include an SHA1 file digest. Like this :

signtool.exe sign /f MyCert.pfx /p <PFX password>  /t http://timestamp.<COMPANYNAME>.com /v foo.exe

signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.<COMPANYNAME>.com/?td=sha256 /td sha256 /as /v foo.exe

Run BOTH of those signtool.exe commands.

*** Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.

Note that you do need the 6.3 version of Signtool to do this. It comes with the Windows 8.1 SDK, or download it here. <LINK OF THE COMPANY ATTACHED>

If you want to include a FULL SHA1 signature (to support even older Windows versions) - use two different certificates  :

signtool.exe sign /f MySHA1Cert.pfx /p <PFX password> /t http://timestamp.<COMPANY NAME>.com /v foo.exe

signtool.exe sign /f MySHA256Cert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.<COMPANYNAME>.com/?td=sha256 /td sha256 /as /v foo.exe

Click here to read more about <COMPANAYNAME AND LINK>

What About All Supporting Versions of Windows That Do Not Support SHA-256?

If you want to support Windows XP SP2 or earlier, you should dual-sign your EXEs, DLLs, and other files. This will require an SHA-1 based certificate**

If you wish to dual-sign you may do so with the 6.3 version of signtool that comes with Windows 8.1 SDK 

signtool.exe sign /f MyCert.pfx  /t <URL to SHA-1 Authenticode timestamp server> /v foo.exe

signtool.exe sign /f MyCert.pfx /fd sha256 /tr <URL to SHA-2 RFC-3161 timestamp server> /td sha256 /as /v foo.exe

* Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.

For SHA-256 timestamps, use Comodo's SHA256 timestamp server: http://timestamp.<COMPANYNAME>.com/?td=sha256

If your users are getting an error message that reads "The signature of this program is corrupt or invalid" when they download, you need to upgrade to an SHA-256 signature!