TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.
Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.
I don’t digitally sign Windows software, does this affect me?
No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).
What is SHA1?
SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.
What happens if my certificate is SHA1?
If you signed your software with a timestamp before 01-Jan-2016:
- It will be treated by Windows XP SP2/XP SP3/Vista as signed.
- It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.
If you signed your software with a timestamp on or after 01-Jan-2016:
- It will be treated by Windows XP SP2/XP SP3/Vista as signed.
- On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).
Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.
How do I know if my current certificate is SHA1?
- Right click on your most recently signed installer and select Properties.
- Click on the Digital Signatures tab.
- Select the signature and click on the Details button.
- Click the View Certificate button.
- Click the Details tab.
- Look at the Signature hash algorithm.
What should I do if my certificate is SHA1?
If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).
I have an SHA2 certificate, now what?
If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:
signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>
signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>
Note the the order of the above is important (SHA1 first).
The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com
You can add a /debug flag for verbose output.
If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).
You can use chktrust.exe to check the signature:
chktrust.exe <installer>
Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.
I always sign the program, as well as the installer.
Can I double sign .msi files?
I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.
What happens to software I signed with my SHA1 certificate after the certificate is revoked?
Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017
How do I sign Windows XP SP1/XP SP2 software?
Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.
Does this affect SSL certificates as well as code signing (Authenticode) certificates?
I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.
How does this affect signing of device drivers?
I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.
What is the difference between SHA2 and SHA256?
SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.
How secure is SHA2?
Er, it was designed by the NSA. Supply your own joke.
I don’t have a digital certificate, where can I get one?
I got my Comodo code signing certificate from reseller ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.
Update: See renewing my authenticode digital certificate .
Anything else I should know?
Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.
Acknowledgements
Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.
Further reading
http://zabkat.com/blog/code-signing-sha1-armageddon.htm
Updates
02-Mar-2016: Added missing link and minor update.
03-Mar-2016: Minor update.
25-Feb-2023: Added link to https://successfulsoftware.net/2023/02/25/renewing-my-authenticode-digital-certificate/.
Successful Software 
Do you need to have 2 separate certificates to dual sign? One for sha1 and a separate one for sha2?
Do you (or anyone reading this) know the command lines needed to dual sign using osslsigncode? Is the “-nest” option needed there?
>Do you need to have 2 separate certificates to dual sign?
No. My understanding is that you can use just an SHA2 cert to dual sign for XP SP3 and later. You only need an SHA1 cert if you want to sign for XP SP2.
I don’t know anything about osslsigncode.
You might — it depends on exactly what you want to do.
It is possible to include a full SHA1 and full SHA256 signature on one file (well, at least with PE files).. The only reason to do that is if you need to support Windows versions older than Windows XP SP3.. To do that you do need two certificates.
If you just want to support XP SP3 and Vista, you only need a single certificate because you can do an SHA1 file digest and timestmap even with a SHA256 certificate (because those operations are a function of the signing tool rather than the certificate itself).
Nick, I found this worked out with osslsigncode, but I needed to append the SHA2 sig to the SHA1 one. It didn’t work the other way around: http://www.elstensoftware.com/blog/2016/02/10/dual-signing-osslsigncode/
Thanks for the useful blog post, gravelld (and Andy too). Just what I was looking for.
If you only need to support XP SP3 and later, then you can use an SHA-256 certificate to create an SHA-1 signature with an SHA-1 timestamp, because XP SP3’s partial support for SHA-256 covers SHA-256 certificates. If you need to support XP SP2 or older versions of Windows, then you need a separate SHA-1 certificate, because XP SP2 and prior have no support for SHA-256.
I have just tested my new SHA-256 cert on Windows XP and Vista — they are recognized as signed. And I did not double-sign. Is it really needed?
Are you sure your single signing is also recognized on 7/8/10?
Yes ( this is the file we are talking about: http://www.powerkaraoke.com/download/siglos2-karaoke-setup.exe ). Last week we found out the hard way that SHA-1 is no longer supported in Windows 10. After two days (and help from Mitchell) we had the new SHA-256 certificate which works without problems. I did some tests and it looks like countersignature is not recognized correctly by Windows XP (as it is SHA-256 as well), but it might matter after the certificate expires.
One more thing you might add to the article is SmartScreen reputation — after I have re-singed the files with the new certificate, SmartScreen complained that the file was not commonly downloaded. I even considered getting EV cert for a while, but the message disappeared after couple of hours.
I have heard elsewhere that changing your signature will reset your SmartScreen reputation, but you should get your reputation back quite quickly (within a few days).
Hi Piotr — the file you linked is using an SHA256 signature but an SHA1 file digest and timestamp. According to what I’ve read and been told, it’s the SHA256 file digest and timestamp that Windows XP SP3 and Vista have trouble with.
What isn’t clear from Microsoft is if SHA1 file digests and timestamps are going to remain OK (as long as the signature algorithm itself is SHA256), or not. So far it seems to work just fine.
Your EXE runs just fine on all of my test machines here with no warnings (SmartScreen or otherwise). I tested on Windows 7-Windows 10
Thanks. I am happy that there is no scary message, if Microsoft changes anything in the future we will adapt as always :)
Hi Andy, I’ve downloaded your software and it’s signed with sha1 certificate only :), I’ve wrote my own signing code in C# using MSSIGN32.dll library, but it seems it’s possible to sign file with 2 certificates only on >= Win 8 (hell, even their documentation is wrong on SignerSignEx2 function).
I’ve been playing with timestamping file with 2 signatures, finally I’ve been able to do that with proper sha2 timestamp but the timestamp is only set on the first sha1 signature, can’t find any documentation what the proper order should be and which signature should be timestamped (first, second, both?).
I haven’t done a release yet in 2016. So my installers are still all signed with SHA1. I will (attempt to) double sign my next release.
Are you doing something different to the example signing code above?
Well I’ve signed my executables with SHA1 signature + SHA2 signature (using SHA1 timestamp on SHA1 signature). Then I’ve found a way to sign my executables with SHA1 + SHA2 (SHA2 timestamp on the SHA1 signature).
I don’t know what the proper order of the signatures should be, when I sign my files in this order:
Steps:
1. Sign with SHA1
2. Sign with SHA2
3. Timestamp SHA2 signature (RFC)
I get this in file:
SHA1 signature (+ RFC SHA2 signature)
SHA2 signature (without timestamp)
So the timestamp lands on the SHA1 signature. I don’t know if that’s correct.
Can’t find any answers on that.
Ok, I got it all figured out ;). Both signatures has to be timestamped, SHA1 with SHA1 timestamp (authenticode) and SHA-256 with SHA-256 timestamp (rfc), but some things are just broken, like this Verisign timestamp RFC server http://timestamp.geotrust.com/tsa it’s broken and returns SHA1 timestamp even if SHA-256 is requested. I’m using http://timestamp.comodoca.com for SHA1 and SHA-256 timestamps, it works fine.
PS. http://timestamp.comodoca.com?td=sha256 param ?td=sha256 can be dropped.
SignerSignEx2() is only available on Windows 8 and later, which makes that the minimum OS for dual signing.
I know, and it sucks. I truly hate MS for all of their anti-compatibility “strategies” around the WinAPI.
What is your source for stating that Windows 7 and later will reject SHA-1 certificates regardless of timestamp on 1/1/2017? http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx states “no change” code signing certificates on 1/1/2017. The only change stated on that page that affects code signing on 1/1/2017 is that Windows 10 will require SHA-256 timestamps.
The above is based on various articles I have read and some correspondence with Mitchell Vincent of KSoftware. As I have yet to make a new release in 2016, I haven’t tried the above ‘in anger’. The main reasons I wrote the article was a) to clarify my own understanding of the issues and b) so get input from other members of the community. The whole situation seems rather confused and in a state of flux. If there are mistakes in the article, I plan to correct them.
The situation is indeed rather confused because many have an opinion, few check their sources, and Microsoft’s communication on the issue is poor. My own understanding of the policy is summarized in my answer here: http://security.stackexchange.com/a/110339/96640
Jan, I agree that it is confusing and that’s partially because Microsoft has changed their write-ups quite a few times in the last 18 months.
According to what I’ve been able to find out, this is the authoritative write-up right now :
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
—
Overview
Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web [This link is external to TechNet Wiki. It will open in a new window.] related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.
This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.
….
Perhaps that doesn’t mean what I think it means.. I’d welcome your thoughts!
What is additionally confusing is Microsoft’s super-secret-squirrel implementation of these changes.. I have 1 Windows 10 computer here, fully updated as far as I can tell, that runs SHA-1 cert signed/timestamped/FD’d files, and another that refuses with the ‘signature corrupted’ error with Edge.
The write-up you’re referencing is the same one I’ve been referencing. The second paragraph in the overview talks about timestamping certificates, implying that all SHA-1 timestamps will be rejected starting 1/1/17. This contradicts the Schedule section in the same writeup, which says “no change” for timestamp certificates on 1/1/17. For “timestamp signature hashes” (the actual timestamp), it says “Windows no longer trusts files with th Mark of the Web attribute that are timestamped with SHA-1 signature ha on Windows 10 systems.” for 1/1/17.
Of course, the end result is the same. A developer targeting Windows 10 will need to be using SHA-256 timestamps by 1/1/17, so that developer may just as well switch everything to SHA-256 by then, possibly dual signing if XP and Vista still need to be supported.
Actually, if my interpretation is correct and SHA-1 signatures remain valid (just like MD5 signatures are still valid) but SHA-1 timestamps are rejected, then a download with an SHA-1 signature would still be treated as correctly signed if the signature was made with an SHA-256 certificate and the certificate has not yet expired. The same happens today with signatures that are not timestamped at all.
Thanks Andy. Is /as flag madatory? I am having Windows 7.0 SDK. signtool.exe doesn’t support /as as you said above.
Note that when I add ?td=sha256 parameter to Comodo’s timestamp server, I get following error: Error information: “SignerTimeStampEx2() failed. This parameter is not required when using RFC method (/tr). But it is required when using Authenticode (/t).
After removing that parameters, it timestamps correctly. This page here: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/68/7/ says that the server will automatically choose the algorithm based on /td signtool’s parameter.
I still refuse to digitally sign my executables. I used to sign them a few years ago and didn’t see a bit of difference, but didn’t A/B test. Anyone ever conducted an A/B test to measure how much the signature is worth in B2C?
With havin so much written content do you ever run into any issues of plagorism or copyright infringement?
My blog has a lot of completely unique content I’ve either created myself or outsourced but it seems a lot of it is popping it
up all over the internet without my agreement. Do you know any methods to help prevent
content from being stolen? I’d truly appreciate it.
The text on my blog is licensed under creative commons. So I am quite happy for it to be copied, as long as it is attributed.
Great article!
Link missing:
“Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.”
I fixed the broken link, thanks.
I believe I have now successfully dual signed Hyper Plan v2.0.0 using the above information. Once I had the new SHA2 certificate it didn’t take long at all to download a new version of signtool.exe and amend my build script, as above.
Where did you get signtool.exe? Is that Ksign’s? kSign\kSignCMD.exe
I added the missing link into the article:
http://zabkat.com/extras/signtool_8.1.zip
Andy, how long did it take before you got the email from Comodo (after requesting a the SHA256 from Ksoftware?
I waited about 48 hours then I contacted KSoftware. Mitchell chased then up and I got it shortly after that.
only viruses sign their software