Windows 10: Microsoft to use SHA-2 exclusively starting May 9, 2021

As a major move to the more secure SHA-2 algorithm, Microsoft will allow the Secure Hash Algorithm 1 (SHA-1) Trusted Root Certificate Authority to expire. Beginning May 9, 2021 at 4:00 PM Pacific Time, all major Microsoft processes and services—including TLS certificates, code signing and file hashing—will use the SHA-2 algorithm exclusively.

Why are we making this change?

The SHA-1 hash algorithm has become less secure over time because of the weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not experience the same issues. As a result, we changed the signing of Windows updates to use the more secure SHA-2 algorithm exclusively in 2019 and subsequently retired all Windows-signed SHA-1 content from the Microsoft Download Center on August 3, 2020.

What does this change mean?

The Microsoft SHA-1 Trusted Root Certificate Authority expiration will impact SHA-1 certificates chained to the Microsoft SHA-1 Trusted Root Certificate Authority only. Manually installed enterprise or self-signed SHA-1 certificates will not be impacted; however we strongly encourage your organization to move to SHA-2 if you have not done so already.

Keeping you protected and productive

We expect the SHA-1 certificate expiration to be uneventful. All major applications and services have been tested, and we have conducted a broad analysis of potential issues and mitigations. If you do encounter an issue after the SHA-1 retirement, please see Issues you might encounter when SHA-1 Trusted Root Certificate Authority expires. In addition, Microsoft Customer Service & Support teams are standing by and ready to support you.


Source: https://techcommunity.microsoft.com/...1/ba-p/2261924

:)

 

Microsoft to use SHA-2 exclusively starting May 9, 2021

I'm a bit confused by the link in the last paragraph.

Ahhh.... Scroll down and where it asks: "Was this information helpful?", click either Yes or No, to see the info.





Or just read it here....

 

Microsoft to use SHA-2 exclusively starting May 9, 2021

Source: https://techcommunity.microsoft.com/...1/ba-p/2261924

 

SHA-2 Code Signing questions

First and foremost, this is my very first experience with Code Signing.

I bought Standard Code Signing from Certum for 3 years.

It is SHA-2 based:

They are all normal Windows Executables; for end users, both portable and installers.

Questions:

1. Bearing in mind the certificate has been issued 10. 10. 2016, i.e. after 1. 1. 2016, does this somehow influence how the signature will behave? I ask this on behalf of reading about deprecation of SHA-1, e.g.:
   
   
2. Should I also timestamp? What is this good for? Are there any disadvantages of timestamping? I found this, which does not really clear things up:
   
   
3. Supposing I would drop support for XP and Vista, will SHA-2 code signature work properly on Windows 7? I read on DigiCert that SHA-2 Code Signing support on Windows 7 is Partial:
   
   
4. There is a havoc around cross-signing SHA-2 (SHA-256 in particular) and SHA-1. Supposing as I said I will no longer support WinXP and Vista, do I need this?