As we wrote in this blog post, Visual Installer now supports both SHA-1 and SHA-2 hash algorithms when it code signs setup packages. But maybe you wonder what this really means and what the difference is between SHA-1 and SHA-2? We will give a short explanation below.
SHA (in SHA-1 and SHA-2) is an acronym for Secure Hash Algorithm. SHA-1 and SHA-2 is a set of cryptographic hash functions designed by NSA. Cryptographic hash functions are mathematical operations run on digital data, and by comparing a computed “hash” (the output from an execution of the algorithm) to a known and expected hash value, it is possible to determine the integrity of the data. For example, computing the hash of a downloaded file and comparing the result to a known hash result can show if the downloaded file has been modified or tampered with since it was created.
SHA-1 is older than SHA-2 and it is no longer considered as secure. Operating systems (as Windows) and web browsers will soon not accept SHA-1 anymore. Instead must SHA-2 be used. SHA-2 is a family of six hash functions and one of them is SHA-256, which is commonly used when code signing binary files (for example program files, DLL files and setup packages). SHA-256 produces a 256 bit hash value. That is more than the older SHA-1, that only produces a 160 bit hash value.