SHA-1 or SHA-256 for Windows kernel-mode Code Signing

MicroSoftProblem

Windows Vista and Server 2008 trigger a security warning for code running in kernel mode if the code was signed with a SHA-256 Authenticode certificate.

The current workaround is to use a SHA-1 certificate. However, SHA-1 is being deprecated. Patched versions of Windows 7 and newer versions of Windows operating systems will trigger a security warning for code signed with a SHA-1 certificate after December 31, 2015.

Certificate Authorities such as Symantec/Digicert state that they will still issue out SHA-1 Code Signing but “SHA-1 Code Signing certificates have a max expiration date of December 30, 2019.” and will be discontinued there after.

Patched Windows 7 and newer versions should be unaffected. Kernel-mode code that is signed with a SHA-256 Authenticode certificate will run correctly on those operating systems.


Solution

SHA-256 is now the industry-standard signature hash algorithm for code signing certificates. SHA-256 provides stronger security and has replaced SHA-1 as the recommended algorithm. This migration is a natural progression to the more secure SHA-256 algorithm and not a response to any immediate security threat.

Windows 7 (unpatched) and older versions do not trust code signed with a SHA-256 code signing certificate. Microsoft released an update for Windows 7 and Windows Server 2008 R2 to support kernel-mode code signed with a SHA-256 certificate. However, Windows Vista and older versions will not be updated.

See article Microsoft Windows SHA-1 & SHA-2 Code Signing Hash Algorithm Support for a list of SHA-1 & SHA-2 supported Operating Systems and patches.

For Windows Vista and older clients that run your kernel-mode code, use a SHA-1 certificate to sign your code.

Note: This was a temporary fix through December 31, 2015, as your SHA-1 Authenticode certificate will need to be replaced with a SHA-256 certificate.

For Windows 7 clients who are still having issues and run your kernel-mode code, advise those users to update their systems so Windows will trust your code signed with a SHA-256 certificate. The recommended operating system software update is available from Microsoft TechNet: Microsoft Security Advisory 3033929. As a temporary fix, use a SHA-1 certificate to sign kernel-mode code.

Note: This code signed with a SHA-1 certificate will not be trusted after December 31, 2015.

For dual code signing instructions with SHA-1 & SHA-2 hashing algorithm, refer to INFO2274.

Windows 8 clients are unaffected. Kernel-mode code that is signed with a SHA-256 Authenticode certificate will run correctly on Windows 8.

Windows 10 clients may be affected. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Windows Hardware Developer Center Dashboard portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change. The portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.  For more information, click here.

If you would like to enroll a EV Code Signing certificate, please click here and Request Pricing for Digicert EV Code Signing.

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »