Microsoft announced on its support website that future Windows 7 and Windows Server 2008 updates will require SHA-2 code signing support to be installed starting with July 16, 2019.
SHA-2 code signing support will be added to Windows 7 SP1 and Windows Server 2008 R2 SP1 on March 12 and April 9 respectively, as part of dedicated standalone security updates.
While Windows updates are currently using both the SHA-1 and SHA-2 hash algorithms for codesigning purposes, migration to the SHA-2 is necessary because of the SHA-1 algorithm becoming impacted by a number of weaknesses that made it less secure over the years.
According to Microsoft’s support article:
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
Microsoft also advises customers who use Windows Server Update Services (WSUS) 3.0 SP2 to update their servers with the SHA2 updates for WSUS 3.0 SP2 until June 18 to make sure that they can deliver future SHA2-signed updates to their enterprise environment.
Windows Server Update Services (which was previously known as Software Update Services) is a program designed to allow Windows administrators to manage update and hotfix distribution to stations in a corporate environment.
The full schedule for the SHA-2 code signing support migration process can be found in the table below, however the dates are subjects to change according to Microsoft:
| Target Date |
Event |
Applies To |
| March 12, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. | Windows 7 SP1, Windows Server 2008 R2 SP1. |
| March 12, 2019 | Stand Alone update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be installed no later than June 18, 2019. | WSUS 3.0 SP2 |
| April 9, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates.
|
Windows Server 2008 SP2. |
| June 18, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1709, Windows 10 1803, Windows 10 1809, Windows Server 2019 |
| June 18, 2019 | Required: For those customers using WSUS 3.0 SP2, the updates should installed by this date. | WSUS 3.0 SP2 |
| July 16, 2019 | Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| July 16, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1507, Windows 10 1607, Windows 10 1703 |
| August 13, 2019 | Contents of updates for legacy Windows versions will be SHA2 signed (embed signed binaries and catalogs). No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| September 16, 2019 | Legacy Windows updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 |
To read the original article: