Since January 1, 2016, Windows 7 and newer Windows will no longer trust software that is signed with a SHA-1 code signing certificate, if the software is downloaded from the Internet and the software is time-stamped with a value greater than January 1, 2016. This means that if you code sign a binary file (for example an EXE file) this year and uses SHA-1 as a hash algorithm, it will not be trusted in newer Windows. Instead you must use a SHA-2 (SHA-256) code signing certificate; then the binary file will be trusted by Windows 7 and newer. You can read more about this in the following articles on Microsoft’s website:
> Windows Enforcement of Authenticode Code Signing and Timestamping
> Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program
Updated Visual Installer
We have updated our installation tool Visual Installer to support SHA-2 (SHA-256) when it code signs a setup package. We have also updated Visual Installer to support dual signing, so you can code sign a setup package with both SHA-1 and SHA-2. This is very useful if you have software that should be able to run also in older Windows (for example in Windows XP). By code signing a setup package twice, first with SHA-1 and then with SHA-2, your code sign certificate will be useful in both older Windows and newer Windows.
How to change hash algorithm from SHA-1 to SHA-2
In Visual Installer you can change the hash algorithm from SHA-1 to SHA-2, for an existing project, by following the steps below:
1. Start Visual Installer
2. Open your project
3. Choose the Special – Setup options menu item
4. Open the Code Signing tab in the Setup options dialog box
5. Open the Option sub tab
6. Select the Use SHA-2 option
7. Close the dialog box
If your minimum system requirements is Windows 7, you can use SHA-2 as a hash algorithm. But if you also want to support older Windows, follow the steps below:
How to dual sign a setup package (SHA-1 and SHA-2)
1. Start Visual Installer
2. Open your project
3. Choose the Special – Setup options menu item
4. Open the Code Signing tab in the Setup options dialog box
5. Open the Option sub tab
6. Select the Use SHA-1 and SHA-2 (recommended) option
7. Close the dialog box
When you open your project file
If you have installed the latest version of Visual Installer 2015 (version 10.5.16 or later) and opens a project file, you may see this message box when you open your project:
It is recommended to answer yes, so the latest version of Microsoft’s code signing tool is used when a setup package is code signed. If you want to dual sign a setup package, you must have a quite new version of the code signing tool. You can read more in this blog post.
Available in Visual Installer 2015 version 10.5.16 and later
The functionality described above is available in Visual Installer 2015 version 10.5.16 and later; in both the Standard and Professional versions of Visual Installer. If you have an active 1 or 12 months maintenance plan for Visual Installer 2015, you can download this update for free from our download page.
See also
> What is SHA-1 and SHA-2 and what’s the difference between them?
> How to code sign a setup package (Visual Installer tip)