If you are a software developer, you may have encountered a thorny problem recently. The SHA1 signature algorithm is about to be deprecated by the new version of Microsoft's operating system, while the SHA2 signature algorithm is not compatible with the old version of the operating system. How to make your software work in various versions of Windows systems has become a problem that software developers urgently need to solve. This article recommends a tool that can attach two signature algorithms, SHA1 and SHA2, to the software code, so that the software can be used on all Windows systems.
Why do you need a digital signature?
First of all, let’s talk about science first, why do we need digital signatures ? If you are a software developer, you may already know that the windows system and some browsers (eg IE, Firefox) use a technology called Authenticode to identify the publisher of the software to check that the software is not affected by viruses . Software developers will use code signing tools and code signing certificates to add digital signatures to software codes before software is released. Software without digital signatures may not work properly.
Taking the Windows system as an example, if the user downloads and runs unsigned software, the Windows system will issue a red security warning; while the unsigned ActiveX controls are directly blocked and not allowed to run by Windows. Therefore, digital signature is an essential process before software is released.
SHA1 Retires , Leaving Conundrums for Software Developers
Secure Hash Algorithm (SHA) is a hash algorithm used for digital signatures. It includes several one-way hash algorithms such as SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-224, SHA-256, SHA-384, and SHA-512 are collectively called is SHA-2.
The security of the SHA1 signature algorithm is decreasing year by year, and it is very likely to be cracked. The International Standards Organization requires global CA agencies to stop issuing various certificates for the SHA1 signature algorithm after December 31, 2015. From January 1, 2016, Microsoft's Win7 and above operating systems will no longer trust software codes signed with the SHA1 algorithm, so as to urge software developers to migrate to the SHA2 algorithm as soon as possible, but Windows XP, Vista and other older versions operate The system does not support the code signature verification of the SHA2 algorithm, but there are still 3 million Windows XP SP2 users in my country who still do not support the SHA-2 signature algorithm. This poses a problem for software developers: using the SHA1 algorithm means giving up the user base of new versions of Win7 and above; using the SHA2 algorithm means giving up the user base of old versions such as XP; if the software is released in two versions, the operation and promotion Costs will multiply. How to make the same software code support all versions of Windows operating system at the same time?
Code signing tool that supports dual certificate signing
" WoSignCode Code Signing Wizard " perfectly solves this problem, allowing software developers to attach two signature algorithms, SHA1 and SHA2, to the same software code. After the user downloads the software, no matter which version of the Windows operating system it runs on, it can be trusted by the operating system, and there will be no security warnings and system interceptions!
More importantly, WoSign, the CA that developed this code signing tool, also launched the "Dual Certificate Service" simultaneously. Users apply for a WoSign code signing certificate, and the system issues two certificates by default (using SHA1 and SHA2 signature algorithm) to the user, only need to spend a money to get the certificate of the two signature algorithms. Without increasing the cost, dual-certificate signatures can be implemented for software codes, which completely solves the compatibility problem of signature algorithms of old and new versions of Windows.
It is said that the WoSign code signing certificate is also included in Microsoft's official recommended purchase list, and is recommended to global Windows developers in the " Get Code Signing Certificate " column of the Windows Hardware Developer Center. Buy online at Wotong Digital Certificate Store.
Comparison of WoSignCode with other signing tools
Compared with the two digital signature tools , Signtool and Signcode provided by Microsoft , WoSignCode has comprehensive functions, is easy to use, and supports dual-certificate signing and batch signing.
The Signtool command-line tool requires users to have a certain DOS command base, and it is cumbersome to manually type commands when signing software; although Signcode has a visual interface, it can only sign one file at a time, and does not support batch signatures. When signing multiple software The operation must be repeated; in addition, neither tool supports SHA1, SHA2 dual certificate signing . In order to avoid AD suspicion, the download address is not listed here, and you can search for " WoSign Code Signing Tool " by yourself.
WoSign also provides free time stamping services, supports Microsoft Authenticode technology and international standard RFC3161 two time stamping standards, and supports both Windows XP and Windows 7 systems. Be sure to add a free timestamp when signing any code to ensure that the digital signature of the software code is still valid after the certificate expires.
Free time stamping services that support Microsoft's Authenticode technology are available at:
http://timestamp.wosign.com/timestamp
The URL of the free time stamping service that supports the international standard RFC3161 is:
http://timestamp.wosign.com/rfc3161