20161104 - Symantec : SHA1 timestamping decommissioning
At the end of January, 2017, Symantec will be decommissioning its SHA1 RFC 3161 timestamp service.
As a result we recommend that all our customers sign their Java applications using SHA256 codesigning certificates and timestamp with the new Symantec SHA256 RFC 3161 timestamp service.
Why?
First, SHA1 is disappearing. It is then a natural and an expected evolution of the service.
Then in the near future, Oracle will be taking steps to remove SHA1 support for both Java signing and timestamping.
This will not impact Java applications that were previously signed or timestamped with SHA1, these will continue to function properly, however Java applications signed or timestamped with SHA1 after Oracle’s announced date may not be trusted.
Compatibility issues might occur
Be careful though: Windows Vista, Windows Server 2008 and older platforms are not compatible with SHA256.
It is the reason why Microsoft recommands the dual signature (SHA1/SHA256) for a greater compatibility. So, before going on with any line of action, do not hesitate to double sign all your code.
Which products are concerned?
All code signing certificates issued by Symantec or Thawte.
My code signing certificate is signed in SHA1, what should I do?
2 options:
- Your certificate expires within the next 3 months: then request your certificate renewal now. You'll be automatically redirected to a SHA256 product.
- If it's not your case then request a free reissuance of your certificate via its status page. It will automatically delivered in SHA256.
useful links
- Sign with signtool (registry / Vista and following)
- Sign with Signtool (.pfx file or .pvk and .spc files)
- Symantec announcement
- SHA1 RFC 3161 timestamping service: http://sha1timestamp.ws.symantec.com/sha1/timestamp
- SHA256 RFC 3161 timestamping service: http://sha256timestamp.ws.symantec.com/sha256/timestamp