Windows recently announced updates to their SHA-1 deprecation policy [0]. According to the update, Win 7 and later platforms will no longer support SHA-1 certificate hash (CH) post 1st January 2016. This means, all the binaries have to be signed with SHA2 after 1st Jan 2016 else Windows will pop up an alert!
Initially, this policy got me worried. WHY? Because as per [1], MS pushed SHA-2 support to Windows 7 and Windows Server 2008 R2 on 14/Oct/2014, that was later revoked due to some issues and re-pushed in their advisory KB3033929 [2] which was published on 10/Mar/2015 (Just a few months ago!). So, all the users who aren't on KB3033929 will not be able to verify my valid SHA-2 certs? Yes, they can! Read on...
The MS updates [1] and [2] are for supporting SHA-2 binary hashes. These platforms already support SHA-2 certificate hashes. So if you sign your executable with SHA-1 binary hash and SHA-2 certificate hash after 1st January 2016, it will get validated on all Windows 7 systems irrespective of their update level. I have summarized the SHA-1/SHA-2 support status in the below table. (BH = Binary Hash, CH = Certificate Hash)
OS
|
SHA1 BH & SHA1 CH
|
SHA1 BH & SHA2 CH
|
SHA2 BH & SHA2 CH
|
Win XP SP1 & SP2
|
YES
|
NO
|
NO
|
Win XP SP3
|
YES
|
YES
|
NO
|
Win 7 before KB3033929
|
YES
|
YES
|
NO
|
Win 7 After KB3033929
|
YES
|
YES
|
YES
|
Note: One consideration to keep in mind before moving your executable's certificate to SHA-2 is that if your user base is using Windows Vista or Windows Server 2008 SP2 then you may land into trouble! As per [3], "you cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2"
References: