Upcoming Changes to CodeSigning
Jan 30, 2023
Upcoming Changes to CodeSigning
End of Life for SHA-1 Code Signing
Background
Up until 29th of June 2020, GlobalSign has allowed customers to issue Code Signing Certificates signed with the SHA-1 hash algorithm. We have continued to allow SHA-1 Code Signing issuance due to Microsoft legacy operating systems that did not support SHA-2 signed software.
In 2019, Microsoft completed offering full support for SHA-2 in older operating systems.
Additionally, the CAB Forum guidelines on Code Signing now mandate that CAs must stop issuance of SHA-1 Code Signing Certificates and SHA1 Timestamping by: January 1st, 2021.
Change or Impact
Effective 29th of June, 2020 - GlobalSign will stop issuing SHA-1 Code Signing Certificates. After that date, certificates can only be ordered and reissued with SHA-2.
Effective January 1st, 2021 - Access to SHA1 Timestamping will be discontinued.
Frequently Asked Questions
-
I currently have a SHA-1 Code Signing Certificate, how am I affected?
If your Certificate expires before January 2021 you should select the option for SHA-2 issuance when renewing your Certificate. If your Certificate expires only after 1st of January 2021 you should reissue the Certificate with SHA-2 prior to that. This date does not align with the end of life for SHA-1 signed certificates because already issued certificates remain valid but require SHA-1 timestamps for signatures.
-
I am not sure whether my current Code Signing Certificates are SHA-1 or SHA-2?
Since 2018 the option for SHA-1 had to be explicitly selected during ordering. Unless you did so, your Certificate is issued with SHA-2. When in doubt, you can either check the fields “Signature Hash Algorithm” and “Signature Algorithm” in your Certificate details.
-
Will my previously signed software be affected?
If Long-Term-Validity for signatures has been enabled, previously signed software is unaffected. This is default with most signing applications.
-
I have legacy applications that rely on SHA-1 signed applications
No CA will be able to offer publicly trusted SHA1 Code Signing Certificates starting 1st of January 2021. It is recommended to update your systems so SHA-2 hashes can be processed.
Helpful Support Guides
Reissue a Certificate: https://support.globalsign.com/customer/portal/articles/1251626