PDA

View Full Version : More on Code Sign - dual signing sha1 and sha256



Rick Martin
11-02-2015, 09:51 AM
From reading on Microsoft's site it sounds like it is necessary to dual sign your application to include both sha1 and sha256 if you want your program to run on Windows 7 and Windows 8/10.
https://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx
https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=INFO2274&pmv=print&actp=PRINT

As an experiment, I code signed a utility with only sha256. It ran fine on a Windows 7 machine.
What are the downsides to only code-signing with sha256?
Is it really necessary to also include sha1 if your program is running on Win 7?

TIA,
Rick

linder
11-02-2015, 10:17 AM
Hi Rick,

It depends on the Windows 7 patch level. To support older Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions) and modern Windows systems (Windows 8.x and later) after 1 January 2016, you have to dual SHA-1/SHA-2 code-sign your files using Microsoft Authenticode compatible time stamp and RFC 3161 compliant trusted time stamp servers (SHA-2 compatible code-signing certificate is required).

See the attached screenshot. On some older Windows 7 machines, SHA-2 does not work as expected. If you only support Windows 7 SP1 and later, then SHA-2 is no problem.

Friedrich

Rick Martin
11-02-2015, 11:15 AM
Hi Friedrich,

Nice chart. Thanks for the clarification.

Rick

linder
11-05-2015, 03:44 AM
You are very welcome, Rick !!

Friedrich