A+ A A-

Sign your code - and use SHA-2

Code signing your production executable and supplementary dlls, has been treated as optional for many developers for a long time.
This should stop and become mandatory practice to sign everything you ship!
It is a topic I have tried to bring more awareness to, not only to ensure you ship a trustworthy application, but also to combat stricter execution environments.
As a side note, code signing certificates are cheap nowadays. Getting an OV certificate, which would suffice for most developers out there, is as low as $84 for a year at ksoftware. Pricing is noted as this time of writing this article and might change in the future.
- There's really no excuse for not signing today.
EV certificates is also an option, though they serve a different purpose, are more expensive and have a more rigorous validation process.

For those who already are familiar with code signing, you might have noted we've been signing with SHA-1 for a very long time. It's kind of been the norm.
A couple years back, however, security experts demonstrated weaknesses in the SHA-1 hashing algorithm and deemed it unsafe.
This has also resulted in code signing should at least use SHA-256 instead - also known as SHA-2.
Recently, Microsoft published a blog post detailing the cut-off date, which basically means the SHA-1 Trusted Root Certificate will expire and their updates, and everything shipped from them, will be signed with SHA-2 only.
While it might not affect you directly at first, your current code signing certificate might be linked to this root certificate, and the expiration might result in validation issues.
I would encourage you, dear reader and fellow developer, to sign your code you ship and start using SHA-2 and reduce the headache with customer support tickets.

Link to the Microsoft blog post


As always, I hope you learned something.


We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.