Jan 31, 2023
Hash algorithms are utilized for integrity checks. They can verify that nothing has changed on a certificate, that a file downloaded correctly, that a signed document hasn't been tampered with, and more. Although your Code Signing Certificate may be signed by GlobalSign to verify its integrity, when you sign code, you may also specify the hash algorithm used when validating the digital signature on your program or driver. This is called the file digest (/fd).
The table below covers different signing scenarios from Windows XP through Windows 10 and details which scenarios are supported and which ones will not validate. In addition to native operating system support, this also takes into account Microsoft's SHA-1 deprecation policy, and new Windows 10 driver signing requirements.
|/fd sha1||/fd sha256||/fd sha1||/fd sha256||/fd sha1||/fd sha256|
|Windows XP||User Mode||✓||✗||✓||✗||✓||✗|
|Windows Vista||User Mode||✓||✗||✓||✗||✓||✗|
|Windows 7||User Mode||✓||✓||✓||✓||✓||✓|
|Windows 8||User Mode||✓||✓||✓||✓||✓||✓|
|Windows 10||User Mode||✓||✓||✓||✓||✓||✓|
|✗||Will not validate.|
|✓||Validates if signed & timestamped prior to January 01, 2016.|
|✓||Validates if signed & timestamped prior to July 29, 2015. After that, kernel mode drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access.|
|✓||Kernel Mode Drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access.|
Any driver, user or kernel mode submitted through Microsoft's Portal requires an EV Code Signing certificate no matter what operating system the developer intends on supporting. Signing through the portal is only required for Windows 10 kernel mode drivers and is optional for all scenarios on previous Windows versions.
If the /fd command is not specified during signing, SHA1 is the default file digest, even when a SHA-2 Certificate is used.