GlobalSign 即将停止签发 SHA1 代码签名证书

关于 GlobalSign 即将停止签发 SHA-1 代码签名的通告


GlobalSign 的代码签名证书产品将面临两个主要变化,如下: 

一、即将停止 SHA-1 代码签名的签发 

GlobalSign 将自 2020 年 6 月 29 日起不再提供 SHA1 哈希算法的代码签名证书。

在此之前由于一些旧的操作系统在代码签名证书验证中不支持较新的 SHA-2 算法,因此 GlobalSign 为客户提供了 SHA1 和 SHA2 两种算法的选项。但 2020 年 6 月 29 日起,GlobalSign 将禁用 SHA-1 证书,并将于 2021 年元月 1 日停止使用 SHA-1 时间戳服务。如果用户现有的 SHA-1 证书有效期如果很过 2021年 1 月 1 日,则需要重新颁发。 

(注:GlobalSign 将在 CAB 论坛所公布的 CA 机构停止使用 SHA-1 算法和时间戳服务的截止日期 2021-1-1 之前强制实施 ) 

二、内核模式驱动程序签名进程 -KCMS 证书到期 

在过去,要在 Windows 内核模式下执行的客户签名软件或驱动程序可以使用任何 GlobalSign 代码签名证书以及链接回 GlobalSign R1 根的微软交叉证书。此交叉证书将于2021 年 4 月到期,微软将不会续订任何此类证书。新的使用方式是需要注册微软硬件开发计划,注册过程需要客户使用公共信任的有效 EV 代码签名证书对文件进行签名。

GlobalSign 关于即将停止 SHA-1 代码签名的签发通告 


End of Life for SHA-1 Code Signing


Up until 29th of June 2020, GlobalSign has allowed customers to issue Code Signing Certificates signed with the SHA-1 hash algorithm. We have continued to allow SHA-1 Code Signing issuance due to Microsoft legacy operating systems that did not support SHA-2 signed software.

In 2019, Microsoft completed offering full support for SHA-2 in older operating systems.

Additionally, the CAB Forum guidelines on Code Signing now mandate that CAs must stop issuance of SHA-1 Code Signing Certificates and SHA1 Timestamping by: January 1st, 2021.

Change or Impact

Effective 29th of June, 2020 - GlobalSign will stop issuing SHA-1 Code Signing Certificates. After that date, certificates can only be ordered and reissued with SHA-2.

Effective January 1st, 2021 - Access to SHA1 Timestamping will be discontinued.

Frequently Asked Questions

I currently have a SHA-1 Code Signing Certificate, how am I affected?

If your Certificate expires before January 2021 you should select the option for SHA-2 issuance when renewing your Certificate. If your Certificate expires only after 1st of January 2021 you should reissue the Certificate with SHA-2 prior to that. This date does not align with the end of life for SHA-1 signed certificates because already issued certificates remain valid but require SHA-1 timestamps for signatures.

I am not sure whether my current Code Signing Certificates are SHA-1 or SHA-2?

Since 2018 the option for SHA-1 had to be explicitly selected during ordering. Unless you did so, your Certificate is issued with SHA-2. When in doubt, you can either check the fields “Signature Hash Algorithm” and “Signature Algorithm” in your Certificate details.

Will my previously signed software be affected?

If Long-Term-Validity for signatures has been enabled, previously signed software is unaffected. This is default with most signing applications.

I have legacy applications that rely on SHA-1 signed applications

No CA will be able to offer publicly trusted SHA1 Code Signing Certificates starting 1st of January 2021. It is recommended to update your systems so SHA-2 hashes can be  processed.


文章关键词: GlobalSign sha1 代码签名
  • 扫一扫二维码可分享朋友或朋友圈