Code Signing Certificates - SHA-1 and SHA-256 Information
Code Signing Certificates - SHA1 and SHA-256 Information
If your users are getting an error message that reads "The signature of this program is corrupt or invalid" when they download, you need to upgrade to an SHA-256 signature!
According to the Microsoft PKI blog :
"Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.
What does that mean?
Any files signed with an SHA-1 certificate need to have a timestamp showing a date and time prior to Jan 1, 2016 for continued support. Those files will still be allowed through the 'Mark-of-the-web" system until Jan 14, 2020, when all SHA-1 support will stop in all current versions of Windows. All new signatures created or timestamped after Jan 1, 2016 must be SHA-256 based signatures or they will cause a "digital signature is corrupted or invalid" error when downloading.
Customers with SHA-1 based certificates should contact Comodo to have their certificates reissued.
Microsoft is announcing the availability of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.
In order to support Windows XP SP3 and Windows Vista you will need to dual sign and include an SHA1 file digest.
Run BOTH of those signtool.exe commands. For example :
For SHA-256 timestamps, use Comodo's SHA256 timestamp server: http://timestamp.comodoca.com/?td=sha256