SHA-2 Digital Signature Upgrade

January 5th, 2016 - Tuesday


Starting with January 1st, 2016 Microsoft is implementing a mandatory update of the Digital Signature system from SHA-1 to SHA-2 in order to deal with the decreasing security of the SHA-1 digital signatures. A limited dual-signing system is supported for backwards compatibility.

All applications signed with SHA-1 certificates will still be accepted until January 1st, 2017. The UAC prompt will still show the correct vendor information but the browser, i.e. Internet Explorer, will warn the users about an invalid signature. Also, the Windows SmartScreen will not recognize the SHA-1 signature and try to prevent the users from running it, as visible below.

MSI file download

Windows SmartScreen

Important, this check is performed by the SmartScreen system only on files with the Mark of the Web attribute, i.e. files downloaded with the help of a browser.

SHA-2 is mandatory

  • make sure your digital certificate is SHA-2, if not buy a new one immediately
  • enable SHA-2 signing in your Advanced Installer projects, from Digital Signature page. The option is called "Sign only for modern operating systems (Windows 7 or newer)".

Targeting Vista/2008 or older

If your application is targeting only these OSes you should continue using a SHA-1 certificate. SHA-2 is recognized only by Windows 7 and newer machines, this signature will not be recognized by older OSes.

If your application is targeting both Windows 7 and newer, but also the old Vista/Server 2008 systems Microsoft has a solution. This will also be included in Advanced Installer 12.7, scheduled for release in the beginning of February.

The solution is to double sign your files with both SHA-1 and SHA-2. For the MSI files dual signing is not supported by Windows, instead you must always sign it with a SHA-2 certificate, but using a SHA-1 file hash and timestamp.

Important. Dual signing is supported starting with Windows 7 SP1, thus your build machine must run on Windows 7 SP1 (or newer) with Windows 8 Platform SDK (or newer) installed.

Advanced Installer will handle this automatically, no extra configurations required. All you have to do is to make sure you download our next update, scheduled to release in the following weeks, and that you have a valid SHA-2 certificate.

Update - January 20, 2016

Microsoft does not require SHA-2 file hashing starting January 1st, 2016. You can still use SHA-1 as hashing algorithm as long as the certificate is SHA-2.

Windows will no longer trust files with a SHA-1 signature (file hash or timestamp) after 1/1/2017.