Upcoming Changes to CodeSigning

Upcoming Changes to CodeSigning

End of Life for SHA-1 Code Signing

 

Background

Up until 29th of June 2020, GlobalSign has allowed customers to issue Code Signing Certificates signed with the SHA-1 hash algorithm. We have continued to allow SHA-1 Code Signing issuance due to Microsoft legacy operating systems that did not support SHA-2 signed software.

In 2019, Microsoft completed offering full support for SHA-2 in older operating systems.

Additionally, the CAB Forum guidelines on Code Signing now mandate that CAs must stop issuance of SHA-1 Code Signing Certificates and SHA1 Timestamping by: January 1st, 2021.

 

Change or Impact

Effective 29th of June, 2020 - GlobalSign will stop issuing SHA-1 Code Signing Certificates. After that date, certificates can only be ordered and reissued with SHA-2.

Effective January 1st, 2021 - Access to SHA1 Timestamping will be discontinued.

 

Frequently Asked Questions

  1. I currently have a SHA-1 Code Signing Certificate, how am I affected?

    If your Certificate expires before January 2021 you should select the option for SHA-2 issuance when renewing your Certificate. If your Certificate expires only after 1st of January 2021 you should reissue the Certificate with SHA-2 prior to that. This date does not align with the end of life for SHA-1 signed certificates because already issued certificates remain valid but require SHA-1 timestamps for signatures.
  2. I am not sure whether my current Code Signing Certificates are SHA-1 or SHA-2?

    Since 2018 the option for SHA-1 had to be explicitly selected during ordering. Unless you did so, your Certificate is issued with SHA-2. When in doubt, you can either check the fields “Signature Hash Algorithm” and “Signature Algorithm” in your Certificate details.
  3. Will my previously signed software be affected?

    If Long-Term-Validity for signatures has been enabled, previously signed software is unaffected. This is default with most signing applications.
  4. I have legacy applications that rely on SHA-1 signed applications

    No CA will be able to offer publicly trusted SHA1 Code Signing Certificates starting 1st of January 2021. It is recommended to update your systems so SHA-2 hashes can be processed.

 

Helpful Support Guides

Reissue a Certificate: https://support.globalsign.com/customer/portal/articles/1251626

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.