NewsArchive
11-24-2014, 08:41 AM
All,
The next SetupBuilder 8.2 update will provide a built-in support option for
the SHA-2 (SHA-256) Hashing Algorithm. See attached screenshots. One
executable signed with the default SHA-1, the other executable signed with
the "new" SHA-2.
DETAILED INFORMATION:
As you probably know, Microsoft has published a security advisory on
"Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program". The new policy takes effect after January 1, 2016 and requires
CAs to migrate to the stronger SHA-2 hashing algorithm.
In summary, Windows will cease accepting SHA-1 certificates on January 1,
2017. To continue to work with Microsoft platforms, all SHA-1 SSL
certificates issued before or after this announcement must be replaced with
a SHA-256 (SHA-2) equivalent by January 1, 2017. Organizations need to
develop a migration plan for any SHA-1 end-entity SSL certificates that
expire after January 1, 2017 and SHA-1 code signing certificates that expire
after January 1, 2016. SHA1 code signing certificates that are time stamped
before 1 January 2016 will be accepted until such time when Microsoft
decides SHA1 is vulnerable to pre-image attack. Microsoft will give new
consideration to the SHA deprecation deadlines in July 2015.
1. Customers should "renew" with SHA-2 end-entity and intermediate
certificates.
2. Microsoft will cease trusting Code Signing Certificates using SHA-1 on
January 1, 2016.
WARNING:
If you use SHA-2 today, expect trouble. Most applications, servers and
browsers now support SHA-2, however some older operating systems such as
Windows XP prior to Service Pack 3, and some mobile devices do not. Vista
needs a specific patch (KB2763674) to handle SHA-2 executables. At the
moment it is best to keep using SHA-1 as long as you can!
For example:
http://support.microsoft.com/kb/2763674
Before the SHA-1 algorithm is formally deprecated by Microsoft, it is
important to ensure your organization and those relying on your
infrastructure are benefiting from SHA-2 support by installing the latest
version of the application or browser and applying all known security
updates to your operating system.
COMODO:
Comodo will support only SHA-2 on all 3 year code signing certificates.
They will also confirm policies at this time regarding 2 year SHA-1 code
signing certificates.
http://www.comodo.com/e-commerce/SHA-2-transition.php
Comodo told us that if the code-sign certificate order goes beyond
01-Jan-2016 their system will automatically issue of the SHA-2 chain!
As usual, SetupBuilder is ready for the future.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
The next SetupBuilder 8.2 update will provide a built-in support option for
the SHA-2 (SHA-256) Hashing Algorithm. See attached screenshots. One
executable signed with the default SHA-1, the other executable signed with
the "new" SHA-2.
DETAILED INFORMATION:
As you probably know, Microsoft has published a security advisory on
"Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program". The new policy takes effect after January 1, 2016 and requires
CAs to migrate to the stronger SHA-2 hashing algorithm.
In summary, Windows will cease accepting SHA-1 certificates on January 1,
2017. To continue to work with Microsoft platforms, all SHA-1 SSL
certificates issued before or after this announcement must be replaced with
a SHA-256 (SHA-2) equivalent by January 1, 2017. Organizations need to
develop a migration plan for any SHA-1 end-entity SSL certificates that
expire after January 1, 2017 and SHA-1 code signing certificates that expire
after January 1, 2016. SHA1 code signing certificates that are time stamped
before 1 January 2016 will be accepted until such time when Microsoft
decides SHA1 is vulnerable to pre-image attack. Microsoft will give new
consideration to the SHA deprecation deadlines in July 2015.
1. Customers should "renew" with SHA-2 end-entity and intermediate
certificates.
2. Microsoft will cease trusting Code Signing Certificates using SHA-1 on
January 1, 2016.
WARNING:
If you use SHA-2 today, expect trouble. Most applications, servers and
browsers now support SHA-2, however some older operating systems such as
Windows XP prior to Service Pack 3, and some mobile devices do not. Vista
needs a specific patch (KB2763674) to handle SHA-2 executables. At the
moment it is best to keep using SHA-1 as long as you can!
For example:
http://support.microsoft.com/kb/2763674
Before the SHA-1 algorithm is formally deprecated by Microsoft, it is
important to ensure your organization and those relying on your
infrastructure are benefiting from SHA-2 support by installing the latest
version of the application or browser and applying all known security
updates to your operating system.
COMODO:
Comodo will support only SHA-2 on all 3 year code signing certificates.
They will also confirm policies at this time regarding 2 year SHA-1 code
signing certificates.
http://www.comodo.com/e-commerce/SHA-2-transition.php
Comodo told us that if the code-sign certificate order goes beyond
01-Jan-2016 their system will automatically issue of the SHA-2 chain!
As usual, SetupBuilder is ready for the future.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner