The SHA256 transition that Microsoft announced a few years ago is upon us, which means all Windows software developers are being forced on board as of Jan 1, 2016.
According to the Microsoft PKI blog :
This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature."
**** It has come to our attention that starting late in 2016 (29 Sep 2016 to be exact), Microsoft heavily revised the article at the above link and drastically changed its content regarding code signing certificates. While it does appear SHA1 code signing certificates are deprecated on some Windows 7+ systems (information gathered from customers and direct experience at K Software), Microsoft may well have reversed that policy as they list code signing certificates as "Unaffected". The content of the article you're reading now was based on the Microsoft article from Dec 2015, through September 2016. We apologize if we have disseminated bad or false information but with no notification from Microsoft that their policy has so drastically changed, we were passing on the best information we had. As it stands, we have been unable to find any official policy from Microsoft regarding SHA1 code signing certificates. We are leaving this article up for the time being but as you read it, keep in mind that the information about Microsoft's policy regarding SHA1 code signing certificate may now be incorrect.
What does that mean?
That any files signed with an SHA-1 certificate needs to have a timestamp showing a date and time prior to Jan 1, 2016 in order to continue to be supported. Those files will still be allowed through the 'Mark-of-the-web" system until Jan 14, 2020, when all SHA-1 support will stop in all current versions of Windows. Any new signatures created or timestamped after Jan 1, 2016 must be SHA-256 based signatures or they will cause a "digital signature is corrupted or invalid" error when downloading.
What versions of Windows support SHA-256 signatures?
SHA-256 signatures are not supported in Windows XP SP2 or earlier. SHA-256 is only supported in User Mode for Windows XP SP 3, Vista and Windows Server 2008R1 -- SHA-256 certificates are not supported for drivers on any version prior to Windows 7.
In order to support Windows XP SP3 and Windows Vista you need to dual sign and include an SHA1 file digest. Like this :
signtool.exe sign /f MyCert.pfx /p <PFX password> /t http://timestamp.comodoca.com /v foo.exe
signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe
Run BOTH of those signtool.exe commands.
*** Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.
Note that you do need the 6.3 version of Signtool to do this. It comes with the Windows 8.1 SDK, or download here..
If you want to include a FULL SHA1 signature (to support even older Windows versions) - use two different certificates :
signtool.exe sign /f MySHA1Cert.pfx /p <PFX password> /t http://timestamp.comodoca.com /v foo.exe
signtool.exe sign /f MySHA256Cert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe
Of course you can always use our utility, kSign, as it now supports dual-signatures in an easy-to-use GUI interface. Click here to read more about kSign.
What about supporting versions of Windows that don't support SHA-256?
If you want to support Windows XP SP2 or earlier, you should dual-sign your EXEs, DLLs and other files. This will require an SHA-1 based certificate**
If you wish to dual-sign you may do so with the 6.3 version of signtool that comes with windows 8.1 SDK (or just use kSign!).
signtool.exe sign /f MyCert.pfx /t <URL to SHA-1 Authenticode timestamp server> /v foo.exe
signtool.exe sign /f MyCert.pfx /fd sha256 /tr <URL to SHA-2 RFC-3161 timestamp server> /td sha256 /as /v foo.exe
* Note that you may need to pass additional arguments to signtool.exe -- like a password to decrypt the PFX/P12 file.
For SHA-256 timestamps, use Comodo's SHA256 timestamp server: http://timestamp.comodoca.com/?td=sha256
We can provide new SHA-1 certificate for use specifically with legacy systems, please contact email@example.com with your existing order number to find out more.
If your users are getting an error message that reads "The signature of this program is corrupt or invalid" when they download, you need to upgrade to an SHA-256 signature!
If you need a new SHA-256 signature you may purchase one from our website at http://codesigning.ksoftware.net
If you need to replace your SHA-1 certificate with an SHA-256 certificate (for free), please visit https://secure.ksoftware.net/sha256.php to submit your replacement order.