Whether/how to avoid SHA-1 signed timestamp when code signing?

Question

We just switched from a SHA-1 to a SHA-2 code signing certificate. (As background info, we sign .exe and .xap files on Windows with signtool.exe, using COMODO code signing certificates.) We do this using a certified timestamp, to make sure that Windows keeps trusting the code signature after the code signing certificate expires.

Now I noticed that the timestamp certificate is still a SHA-1 certificate, when using http://timestamp.comodoca.com/authenticode. (Details: It is df946a5... with Subject 'CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford, S=Greater Manchester,C=GB'.)

(On Windows one can see that certificate by taking a signed .exe, then in its Explorer Properties dialog go to the Digital Signatures tab, select the signature and click Details, then in the Digital Signature Details dialog click the counter signature and click Details, then in the second Digital Signature Details dialog click on View Certificate. The certificate is a SHA-1 certificate if its 'Signature hash algorithm' is 'sha1'.)

Will this be a problem? In other words, after our current code signing certificate has expired, and after Microsoft Windows treats SHA-1 as a broken algorithm (which is in 2020 at the latest), will our current signatures still be trusted? Or will Windows say, “The timestamp is within the code signing certificate's validity range, but the timestamp was signed with a SHA-1 certificate, so I will not trust the timestamp, and therefore I won't trust this signature”?

Is there another service we can/should use? (Not Verisign's http://timestamp.verisign.com/scripts/timstamp.dll, since they also still use a SHA-1 time stamping certificate, viz. 6543992...)

Answer 1

Since 1/1/2017, you can no longer use SHA-1 on Windows 7 and later (if timestamped after 1/1/2016).

This article describes how to obtain a SHA-256 timestamp certificate, using the timestamp URL http://timestamp.globalsign.com/?signature=sha2. As an alternative, see this list of timestamp servers which you can also use.

The signtool /td flag is also important (and poorly documented).

Signing like this:

signtool sign /fd SHA256 /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /a filename.exe

results in an executable with a code sign certificate and timestamp certificate with SHA-256 signature hash algorithm.

Answer 2

You can use your SHA-2 certificate to double-sign code so that it validates under XPsp3 and Vista (which don't understand SHA-2) as well as later OSs (Win 7, 8, 10).

It's a two-step process that first signs with SHA-1, then appends a SHA-256 signature. Though it is not explicit, the first run of signtool defaults to SHA-1 signing. In the second run, you request the sha256 digest algorithm with the /fd option. The time servers in this example are Comodo's.

signtool sign /f cert.pfx /p your_cert_password /t "http://timestamp.comodoca.com" /v file_to_sign.exe

signtool sign /f cert.pfx /p your_cert_pass /fd sha256 /tr "http://timestamp.comodoca.com/?td=sha256" /td sha 256 /as /v file_to_sign.exe

You need to use a version of signtool that supports dual signing (the /as option). I believe that's Windows SDK version 8.1 or higher.

When you have done this, check the security properties of the executable, and you should see both SHA-1 and SHA-256 signatures (under later OSs) but only the SHA-1 signature under XP/VISTA.

Note that other time servers have different options to specify the digest algorithm. Your issuing CA should be able to provide the appropriate URLs.