Windows programmers: Renew or upgrade your code signing certificates now

Windows programmers: Renew or upgrade your code signing certificates now

Depending on your goals, the new SHA-2 cert may not be in your best interests

The industry is moving from SHA-1 certification to SHA-2, and if you sign code you need to be aware of the changes afoot. In a nutshell, you will probably want to get an SHA-2 certificate before Dec. 31, if you don't already have one. But if you have an SHA-1 certificate and want to keep using it, you should renew the cert -- preferably for multiple years -- before the end of the year.

two hands pointing at each other creating an electrical charge against blue background

The power of PowerShell: An intro for Windows Server admins

In this increasingly devops-minded world, automation is king. Here’s how to get started with PowerShell

READ NOW

If you don't have a cert and want to use SHA-1 for compatibility reasons -- in Kernel Mode, in particular -- you better get the cert now. After Jan. 1, the CA/certificate issuing authorities (Comodo, DigiCert, GlobalSign, and others) are not permitted to issue SHA-1 certs.

[ The InfoWorld review: New Windows 10 version still can't beat Windows 7 | Everything you need to know about Windows 10, in a handy PDF. Download it today! | Stay up on key Microsoft technologies with the Windows newsletter. ]

Why would you want to use an SHA-1 cert in an SHA-2 world? That's a very good question, and veteran Windows programmer David Ching at DCSoft has an excellent explanation. If you're only working on User mode programs (msi and exe files), you need SHA-2 -- end of discussion. But if you're working on Kernel mode programs (sys files), SHA-1 works across all the modern Windows platforms, from XP to Win10. SHA-2 doesn't work for XP or Vista Kernel mode.

You might think that an SHA-2 signature would make your Kernel mode programs more secure than SHA-1, but that isn't so. Ching says:

The purpose of signing software is to prove that you created it. The way it works is when your customer downloads/installs/loads your software, it is Windows that verifies your signature and reports something like "Verified Publisher:  <the company name from your certificate>."

An attacker can use the more insecure SHA-1 to more easily spoof your signature on software that the attacker creates (e.g. malware).  Such malware would appear to have come from you.  Windows would report "Verified Publisher:  <the company name from your certificate>."  But, this scenario, appalling though it is, can happen even if you sign your legitimate software with SHA-2.  An attacker can still sign the malware with a spoofed SPA-1 signature of yours.  So you can see that whether you sign your software with SHA-1 or SHA-2, it makes absolutely no difference in the likelihood of being spoofed.

Moving from an SHA-1 cert to SHA-2 is generally free, but you may want to consider whether you're ready to give up on XP and Vista Kernel mode. Microsoft may want you to snub XP and Vista in Kernel mode, but their goals aren't necessarily your goals.

Read Ching's post and decide for yourself.