SHA1 Deprecation and Win10 SmartScreen Filter Warning (SHA2 Code Signing)
Many Windows software vendors will continue to feel the pain after learning the hard way that SHA1 deprecation occurred, or, as in our case, weren’t as ready for that as they thought! This is the story of our experience, where we had switched to dual-signing with SHA1 and SHA2, but didn’t get it precisely right (had to get our cert reissued). We welcome discussion below…
UPDATE: I am pleased to report that this issue is resolved now. Our code signing is correct and trusted. Rare sights of these warnings may still occur, but will be much less frequent.
Given the deprecation of SHA1 for all uses, including Windows Code Signing (Authenticode), Bitsum switched to dual-signing for all binaries time-stamped on, or after, Jan 1, 2016. This allows us to retain backwards compatibility with SHA1 authentication, while also providing SHA2 authentication. Basically, both signatures are provided on every binary (see last image of post).
Please understand, we didn’t switch because we felt like it. Rather, it was mandated. As of Jan 1, Windows 7 and above stopped all SHA1 code signing support for binaries time-stamped in 2016 or greater. This means we had to make either a change to SHA2, or a change to dual-signing. The latter seemed the only viable option for us and most vendors, though notably Firefox is going SHA2-only.
Unfortunately, this change means that our previous long-standing good SHA1 certificate history has been wiped out, so we’re building a SHA2 history fresh. If only our history transferred, but it seems not to.
Regardless of which browser you download with, if the file is considered a download in Windows 8/10, it will go through the SmartSreen filter, and you may see something like these (first is IE11/Edge only):
IE11 and Edge Warning
For downloads from *our* domain of bitsum.com, you simply need to click ‘I understand the risk‘ and ‘Run anyway‘. You will then see a properly validated Bitsum LLC digital signature in the UAC elevation prompt (shown below). Simply click YES on this second prompt, as always.
We hope to see this situation self-resolve, and will make every attempt to accelerate that process, as our SHA2 signature builds a new reputation for itself. Sadly, no other method for transferring our vendor reputation is known at this time.