Windows Code Signing Hash Algorithm Support

Feb 21, 2024

Windows Code Signing Hash Algorithm Support

Overview

Hash algorithms are utilized for integrity checks. They can verify that nothing has changed on a certificate, that a file downloaded correctly, that a signed document hasn't been tampered with, and more. Although your Code Signing Certificate may be signed by GlobalSign to verify its integrity, when you sign code, you may also specify the hash algorithm used when validating the digital signature on your program or driver. This is called the file digest (/fd).

The table below covers different signing scenarios from Windows XP through Windows 10 and details which scenarios are supported and which ones will not validate. In addition to native operating system support, this also takes into account Microsoft's SHA-1 deprecation policy, and new Windows 10 driver signing requirements.
 

    SHA-1
Certificate
SHA-2
Certificate
EV Certificate
(SHA-2 Only)
    /fd sha1 /fd sha256 /fd sha1 /fd sha256 /fd sha1 /fd sha256
Windows XP User Mode
Kernel Mode
Windows Vista User Mode
Kernel Mode
Windows 7 User Mode
Kernel Mode
Windows 8 User Mode
Kernel Mode
Windows 10 User Mode
Kernel Mode

 
  

Will not validate.
Validates Successfully.
Validates if signed & timestamped prior to January 01, 2016.
Validates if signed & timestamped prior to July 29, 2015. After that, kernel mode drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access.
Kernel Mode Drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access.

 
 


Additional Information

Any driver, user or kernel mode submitted through Microsoft's Portal requires an EV Code Signing certificate no matter what operating system the developer intends on supporting. Signing through the portal is only required for Windows 10 kernel mode drivers and is optional for all scenarios on previous Windows versions.


If the /fd command is not specified during signing, SHA1 is the default file digest, even when a SHA-2 Certificate is used.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support