Depending on your goals, the new SHA-2 cert may not be in your best interests The industry is moving from SHA-1 certification to SHA-2, and if you sign code you need to be aware of the changes afoot. In a nutshell, you will probably want to get an SHA-2 certificate before Dec. 31, if you don’t already have one. But if you have an SHA-1 certificate and want to keep using it, you should renew the cert — preferably for multiple years — before the end of the year. If you don’t have a cert and want to use SHA-1 for compatibility reasons — in Kernel Mode, in particular — you better get the cert now. After Jan. 1, the CA/certificate issuing authorities (Comodo, DigiCert, GlobalSign, and others) are not permitted to issue SHA-1 certs. Why would you want to use an SHA-1 cert in an SHA-2 world? That’s a very good question, and veteran Windows programmer David Ching at DCSoft has an excellent explanation. If you’re only working on User mode programs (msi and exe files), you need SHA-2 — end of discussion. But if you’re working on Kernel mode programs (sys files), SHA-1 works across all the modern Windows platforms, from XP to Win10. SHA-2 doesn’t work for XP or Vista Kernel mode. You might think that an SHA-2 signature would make your Kernel mode programs more secure than SHA-1, but that isn’t so. Ching says: The purpose of signing software is to prove that you created it. The way it works is when your customer downloads/installs/loads your software, it is Windows that verifies your signature and reports something like “Verified Publisher: .” An attacker can use the more insecure SHA-1 to more easily spoof your signature on software that the attacker creates (e.g. malware). Such malware would appear to have come from you. Windows would report “Verified Publisher: .” But, this scenario, appalling though it is, can happen even if you sign your legitimate software with SHA-2. An attacker can still sign the malware with a spoofed SPA-1 signature of yours. So you can see that whether you sign your software with SHA-1 or SHA-2, it makes absolutely no difference in the likelihood of being spoofed. Moving from an SHA-1 cert to SHA-2 is generally free, but you may want to consider whether you’re ready to give up on XP and Vista Kernel mode. Microsoft may want you to snub XP and Vista in Kernel mode, but their goals aren’t necessarily your goals. Read Ching’s post and decide for yourself. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe