Code Signing: SHA1 no, SHA256 yes

I just renewed by code-signing certificate through Sectigo. Now when I compile, I get the following:

Signing the publication .exe file…
Dual SHA1-SHA256 signatures used

  • SHA1:
    GSignCode 2.1 – simple code signing utility
    Copyright G.D.G. Software 2011-2016. All rights reserved.

    Signing C:\Users\jmilb\Documents\My Poetry\Exe\aeiour5.exe
    SIGNING ERROR:
    Signing Error - Code 0x80072EFF
    Warning: code signing failed, an error occurred.
  • SHA256:
    GSignCode 2.1 – simple code signing utility
    Copyright G.D.G. Software 2011-2016. All rights reserved.

    Signing C:\Users\jmilb\Documents\My Poetry\Exe\aeiour5.exe
    File successfully signed.

This evidently means it was signed through SHA256, but not through SHA1. Do have a problem or is this OK?

Hi!

Article dated 24th Apr 2020

A few weeks ago Microsoft announced its decision to deprecate the use of SHA1 from January 2017 and to replace it by SHA256. All certificates and intermediates signed in SHA1 won’t be recognized anymore and will provoke security alerts on all the products of the brand. 24 Apr 2020.

Additionally, SHA1 has also been deemed quite vulnerable to collision attacks which is why all browsers will be removing support for certificates signed with SHA1 by January 2017. SHA256 however, is currently much more resistant to collision attacks as it is able to generate a longer hash which is harder to break.

If the code signing is successful for SHA256 there is nothing to worry about…

Hi Fretpal,

Thank you for the clarification. I no longer fret.

John Milbury-Steen

image002.jpg

LOL - no problem - good luck!

You can also fix the problem by choosing another timestamp server for SHA1. Go to the Environment options and replace
http://timestamp.verisign.com/scripts/timstamp.dll
by
http://timestamp.comodoca.com/authenticode