Windows 10: SHA-1 Deprecation Update

Discus and support SHA-1 Deprecation Update in Windows 10 News to solve the problem; In a previous update on TechNet, we announced that Windows will block SHA-1 signed TLS certificates starting on January 1, 2017. In light of recent... Discussion in 'Windows 10 News' started by Brink, Nov 3, 2015.

  1. Brink
    Brink New Member

    SHA-1 Deprecation Update


    Source: SHA-1 Deprecation Update | Microsoft Edge Dev Blog

    :)
     
    Brink, Nov 3, 2015
    #1
  2. Rob Koch Win User

    Downloading file.exe

    Since this only recently started with your other Windows 10 system, I suspect that Microsoft only just finally enabled the detection of these SHA-1 signed files, quite possibly in the recent Windows 10 Anniversary update or at least the IE11 updates that
    were included within it.

    So if you had installed the update on one system and not the Surface Pro 4, this might explain the difference, since my own system I was using to test here is actually running Windows 8.1 and apparently has also received an update which generates that same
    corrupt or invalid message you received.

    Looking around, I just found another Web Developer blog article that discusses the SHA-1 deprecation roadmap. Though this doesn't specifically mention how files containing digital signatures will be handled, I suspect that the effects on SSL certificates
    using SHA-1 and those for file downloads when using IE11 would be quite similar.

    An update to our SHA-1 deprecation roadmap

    From the comments in this and another earlier blog article I can see that even the more technically knowledgeable web developers in these discussions have questions and see potential problems with this deprecation. One of these is that older Windows XP
    and Server 2003 systems don't support the new SHA-2 or other algorithms, so these will permanently break when software or web pages containing these are accessed.

    So this migration from SHA-1 to SHA-2 may be far more disruptive then Microsoft expected for those with outdated software, servers and client systems.

    Rob
     
    Rob Koch, Nov 3, 2015
    #2
  3. Rob Koch Win User
    Downloading file.exe

    This is a relatively complex issue caused by the fact that the code signing certificate used by the SMA Solar Technology AG to digitally sign their software was issued in 2012.

    This was prior to the date that Microsoft and Google both declared they would stop trusting the SHA-1 Signature hash algorithm due to the fact that using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform
    phishing attacks, or perform man-in-the-middle attacks.

    Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

    Since the certificate used by SMA was issued by COMODO and is itself still valid, the error isn't displayed within the certificate dialogs when inspecting the Digital Signature of the file. Instead, an error message is displayed by the Internet Explorer
    11 download dialog when the file is examined at the completion of the download process. At this point the file integrity is verified using the certificate and digital signature information embedded in the executable file, which since it contains a now untrusted
    SHA-1 signed certificate, is flagged as invalid due to the deprecated (e.g. untrusted) SHA-1 signature type.

    The only true resolution is for the SMA Solar Technology AG company's developer to re-compile and sign this executable file with a newer SHA-2 or other currently trusted Signature hash algorithm. To do this they'll first need to acquire an updated certificate
    package from COMODO that removes the deprecated SHA-1 and adds the SHA-2 algorithms per this information from COMODO.

    Important change announcement - deprecation of SHA-1

    I know this is a more complex answer than you were looking for, but I've written this to aid both the SMA and possibly other small developers having such problems in understanding the issue and what they need to do to resolve it. Clearly SMA is either unaware
    of the issue or simply hasn't dealt with it since this deprecation by Microsoft officially took effect as of Jan 1st, 2016 per both of the reference pages above.

    Whether you choose to ignore this corrupt or invalid signature error message and use the file anyway is up to you. Since you can't be certain of the file's integrity (e.g. insurance that it's malware free and not truly corrupted), this could be a potentially
    dangerous choice. Contacting the company and informing them of the above by providing a link to this thread will aid both you and others if that gets them to fix this real problem of outdated certificate use by their software developer.

    Rob
     
    Rob Koch, Nov 3, 2015
    #3
Thema:

SHA-1 Deprecation Update

Loading...
  1. SHA-1 Deprecation Update - Similar Threads - SHA Deprecation Update

  2. Stop Using SHA-1

    in Windows 10 Gaming
    Stop Using SHA-1: The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 digital certificates with the same signature as an original....
  3. Stop Using SHA-1

    in Windows 10 Software and Apps
    Stop Using SHA-1: The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 digital certificates with the same signature as an original....
  4. Issues with WIn 7, Connecting using RDP shows SHA-1 trying to Update to SHA-2

    in Windows 10 Software and Apps
    Issues with WIn 7, Connecting using RDP shows SHA-1 trying to Update to SHA-2: Hello I have a system that due to software compatibily it is required to run Windows 7.I have WIndow 7 x64 ENT with SP 1 installed and as far as I can see has been fully updated with WIndows updates.I have installed the following update KB4474419 for Windows 7 x64 systems but...
  5. Issues with WIn 7, Connecting using RDP shows SHA-1 trying to Update to SHA-2

    in Windows 10 Gaming
    Issues with WIn 7, Connecting using RDP shows SHA-1 trying to Update to SHA-2: Hello I have a system that due to software compatibily it is required to run Windows 7.I have WIndow 7 x64 ENT with SP 1 installed and as far as I can see has been fully updated with WIndows updates.I have installed the following update KB4474419 for Windows 7 x64 systems but...
  6. Certificate Services signs certificates with SHA-1 even though SHA-256 is selected

    in Windows 10 Gaming
    Certificate Services signs certificates with SHA-1 even though SHA-256 is selected: I'm trying to switch the certificate services in an Active Directory environment from SHA-1 to SHA-256 but it still signs only using SHA-1.The CA Domain Controller is running Windows Server 2008 R2, fully patched including ESUs. Note that the domain, including the CA...
  7. Certificate Services signs certificates with SHA-1 even though SHA-256 is selected

    in Windows 10 Software and Apps
    Certificate Services signs certificates with SHA-1 even though SHA-256 is selected: I'm trying to switch the certificate services in an Active Directory environment from SHA-1 to SHA-256 but it still signs only using SHA-1.The CA Domain Controller is running Windows Server 2008 R2, fully patched including ESUs. Note that the domain, including the CA...
  8. SHA-1 deprecation countdown

    in Windows 10 News
    SHA-1 deprecation countdown: The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to...
  9. Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge & IE11

    in Windows 10 News
    Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge & IE11: Microsoft Security Advisory 4010323 Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 Published: May 9, 2017 Version: 1.0 Executive Summary Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet...
  10. An update to our SHA-1 deprecation roadmap

    in Windows 10 News
    An update to our SHA-1 deprecation roadmap: In November, we shared a SHA-1 Deprecation Update with some early details on our schedule for blocking SHA-1 signed TLS certificates. Today we would like to share some more details to share on how this will be rolled out. Starting with the Windows 10 Anniversary Update,...