Windows Code Signing Hash Algorithm Support
Feb 21, 2024
Windows Code Signing Hash Algorithm Support
Overview
Hash algorithms are utilized for integrity checks. They can verify that nothing has changed on a certificate, that a file downloaded correctly, that a signed document hasn't been tampered with, and more. Although your Code Signing Certificate may be signed by GlobalSign to verify its integrity, when you sign code, you may also specify the hash algorithm used when validating the digital signature on your program or driver. This is called the file digest (/fd).
The table below covers different signing scenarios from Windows XP through Windows 10 and details which scenarios are supported and which ones will not validate. In addition to native operating system support, this also takes into account Microsoft's SHA-1 deprecation policy, and new Windows 10 driver signing requirements.
| SHA-1 Certificate |
SHA-2 Certificate |
EV Certificate (SHA-2 Only) |
|||||
| /fd sha1 | /fd sha256 | /fd sha1 | /fd sha256 | /fd sha1 | /fd sha256 | ||
| Windows XP | User Mode | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ |
| Kernel Mode | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | |
| Windows Vista | User Mode | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ |
| Kernel Mode | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | |
| Windows 7 | User Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Kernel Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Windows 8 | User Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Kernel Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Windows 10 | User Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Kernel Mode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| ✗ | Will not validate. | ||
| ✓ | Validates Successfully. | ||
| ✓ | Validates if signed & timestamped prior to January 01, 2016. | ||
| ✓ | Validates if signed & timestamped prior to July 29, 2015. After that, kernel mode drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access. | ||
| ✓ | Kernel Mode Drivers for all Windows versions must be signed by the Windows Hardware Developer Center Dashboard Portal which requires an EV Code Signing Certificate to access. |
Additional Information
Any driver, user or kernel mode submitted through Microsoft's Portal requires an EV Code Signing certificate no matter what operating system the developer intends on supporting. Signing through the portal is only required for Windows 10 kernel mode drivers and is optional for all scenarios on previous Windows versions.
If the /fd command is not specified during signing, SHA1 is the default file digest, even when a SHA-2 Certificate is used.
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.