Upcoming Changes to CodeSigning

Upcoming Changes to CodeSigning

End of Life for SHA-1 Code Signing

 

Background

Up until 29th of June 2020, GlobalSign has allowed customers to issue Code Signing Certificates signed with the SHA-1 hash algorithm. We have continued to allow SHA-1 Code Signing issuance due to Microsoft legacy operating systems that did not support SHA-2 signed software.

In 2019, Microsoft completed offering full support for SHA-2 in older operating systems.

Additionally, the CAB Forum guidelines on Code Signing now mandate that CAs must stop issuance of SHA-1 Code Signing Certificates and SHA1 Timestamping by: January 1st, 2021.

 

Change or Impact

Effective 29th of June, 2020 - GlobalSign will stop issuing SHA-1 Code Signing Certificates. After that date, certificates can only be ordered and reissued with SHA-2.

Effective January 1st, 2021 - Access to SHA1 Timestamping will be discontinued.

 

Frequently Asked Questions

  1. I currently have a SHA-1 Code Signing Certificate, how am I affected?

    If your Certificate expires before January 2021 you should select the option for SHA-2 issuance when renewing your Certificate. If your Certificate expires only after 1st of January 2021 you should reissue the Certificate with SHA-2 prior to that. This date does not align with the end of life for SHA-1 signed certificates because already issued certificates remain valid but require SHA-1 timestamps for signatures.
  2. I am not sure whether my current Code Signing Certificates are SHA-1 or SHA-2?

    Since 2018 the option for SHA-1 had to be explicitly selected during ordering. Unless you did so, your Certificate is issued with SHA-2. When in doubt, you can either check the fields “Signature Hash Algorithm” and “Signature Algorithm” in your Certificate details.
  3. Will my previously signed software be affected?

    If Long-Term-Validity for signatures has been enabled, previously signed software is unaffected. This is default with most signing applications.
  4. I have legacy applications that rely on SHA-1 signed applications

    No CA will be able to offer publicly trusted SHA1 Code Signing Certificates starting 1st of January 2021. It is recommended to update your systems so SHA-2 hashes can be processed.

 

Helpful Support Guides

Reissue a Certificate: https://support.globalsign.com/customer/portal/articles/1251626

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support