Security notice: root certificate program of Microsoft abandoned SHA-1 Hash algorithm2016-01-12
On January 12, 2016, Microsoft released security notice 3123479 that SHA-1 Hash algorithm has been abandoned since January 1 of 2016.
If customers, who operate Internet Explorer or Microsoft Edge, download SHA-1 signature file with timestamp from Internet issued on or after January 1, 2016, SmartScreen will mark it as untrusted file. This condition will not stop users downloading the file or operating the browser on his computer, but it will prompt warning to users against the untrusted file.
This modification only has influence upon Mark-of-the-Web (MOTW) files downloaded from Internet. Files time stamped before January 1, 2016 will continue being trusted. Drive programs with signature that has passed the verification of code integrity will not be influenced by this modification.
To solve the compatibility problem of different versions of Windows operating systems during signing, WoSign CA exclusively introduced the dual certificate services. This means buying one code signing certificate, you will be issued two certificates (SHA-2 signature algorithm and SHA-1 signature algorithm). At the same time, WoSign researched and developed dual signature tool, WoSignCode code signing Wizard, which allows software developers to attach both SHA1 and SHA2 signature algorithms to one software code. After being downloaded, the software will be trusted by any version of Windows operating system. There will be no security warning or interception.