Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.
What this means:
Any new distribution of our products (i.e. Terian ICP, Terian IDC) that are code signed and time stamped from 01/Jan/2016 onwards will no longer appear as coming from a verified publisher, i.e. like this…
Fortunately GoDaddy provides both SHA-1, and SHA256 code signing certificates. So newer versions of Windows can be supported with the new SHA256 certificate ensuring our applications still appear to be from a verified published.
Dual Certificate Code Signing:
To ensure we maintain backward compatibility with older versions of windows all new distributions will be code signed with both the SHA-1, and SHA256 certificates, like this…
Once SHA-1 has been fully deprecated we will most likely transition to only signing our code with the SHA256 certificate. Hopefully by this time our requirement to ensure 100% support on older systems will be reduced.
More information regarding Windows Enforcement of authenticode Code Signing can be found here