Problem:
SHA-1 hash is being phased out due to its inadequate collision resistance. Or, in other words, it doesn't produce code signatures that are strong enough by today's crypto-standards.
If your SHA-1 file was timestamped before 1/1/2016 then there is no problem. This only affects files signed with SHA-1 post 1/1/2016.
The following table details the SHA support for Windows:
| Windows OS | SHA-1 | SHA-256 |
| XP SP3, Server 2003 | Yes | |
| Vista, Server 2008 | Yes |
No without updates (specifically KB2763674) |
| 7, Server 2008 R2 | No (if signed after 1/1/2016) | Yes with latest updates |
| 8.1, Server 2012 R2 | No (if signed after 1/1/2016) | Yes |
| 10, Server 2016 | No (if signed after 1/1/2016) | Yes |
Up to mid-2016 we signed all our files and installers with SHA-1. In summary this gives us the following behaviour:
- Downloading in EDGE or IE on Windows 10 is blocked.
- Downloading in latest version of IE 11 is blocked.
- If UAC is on (Vista or later) then you will see a warning that the file has an unknown publisher but the file will run as expected.
If we signed all our files and installers with just SHA-2 we would get round all the problems we see but we would see the following issue on old OS’ (XP/2003):
- The file will install fine but if you look at the properties you will see that the SHA-2 certificate is not recognised so it says the file has an invalid certificate.
More info can be found here in Microsoft’s TechNet article.
Resolution:
- All installers will be dual signed with both SHA-1 and SHA-2 certificates where possible. If file type of installer only supports one certificate then it has to be a SHA-2.
- All product files will be signed with SHA-2 certificates.
#MFDS
#EnterpriseDeveloper
