Validity of an SHA1 DigiCert EV Certiticate

Hi,

Travis (developer of libusb-win32/libusbK project) bought the following cert
from Digicert back in 2014 which will expire in 2017. It seems to be using
SHA1. Does it mean this will not work for Windows 10 signing now?
He is using the key to sign the kernel driver (libusbK.sys) and the
setup package.

If that is the case, what is the best we can do? To buy another SHA2
cert from DigiCert?

Below is capture of the sign/verify

Verifying: libusbK-3.0.7.0-setup-chk.exe
Hash of file (sha1): D70FF37A6381B86F6649EF643EC0EBAA68F3E68E

Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Nov 09 18:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 06:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46

Issued to: Travis Lee Robinson
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Wed Jun 21 06:00:00 2017
SHA1 hash: 3DFF2D903F971878D48EA5FA3BFDF86D66EEAB21

The signature is timestamped: Wed May 14 21:12:56 2014
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 18:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Issued to: DigiCert Assured ID CA-1
Issued by: DigiCert Assured ID Root CA
Expires: Tue Nov 09 18:00:00 2021
SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

Issued to: DigiCert Timestamp Responder
Issued by: DigiCert Assured ID CA-1
Expires: Tue Jun 03 18:00:00 2014
SHA1 hash: 766489C6D10DC60904E1158E9CC8BE6D4E5EFB53

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 07:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:55:33 2021
SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143

Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 06:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46

Issued to: Travis Lee Robinson
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Wed Jun 21 06:00:00 2017
SHA1 hash: 3DFF2D903F971878D48EA5FA3BFDF86D66EEAB21

–
Xiaofan

Should work if signed before win10 GA, right? Other drivers with pre-GA
certs appear to be functional.

Mark Roddy

On Wed, Aug 12, 2015 at 10:06 AM, Xiaofan Chen wrote:

> Hi,
>
> Travis (developer of libusb-win32/libusbK project) bought the following
> cert
> from Digicert back in 2014 which will expire in 2017. It seems to be using
> SHA1. Does it mean this will not work for Windows 10 signing now?
> He is using the key to sign the kernel driver (libusbK.sys) and the
> setup package.
>
> If that is the case, what is the best we can do? To buy another SHA2
> cert from DigiCert?
>
> Below is capture of the sign/verify
> ----
> Verifying: libusbK-3.0.7.0-setup-chk.exe
> Hash of file (sha1): D70FF37A6381B86F6649EF643EC0EBAA68F3E68E
>
> Signing Certificate Chain:
> Issued to: DigiCert High Assurance EV Root CA
> Issued by: DigiCert High Assurance EV Root CA
> Expires: Sun Nov 09 18:00:00 2031
> SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
>
> Issued to: DigiCert High Assurance Code Signing CA-1
> Issued by: DigiCert High Assurance EV Root CA
> Expires: Tue Feb 10 06:00:00 2026
> SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
>
> Issued to: Travis Lee Robinson
> Issued by: DigiCert High Assurance Code Signing CA-1
> Expires: Wed Jun 21 06:00:00 2017
> SHA1 hash: 3DFF2D903F971878D48EA5FA3BFDF86D66EEAB21
>
> The signature is timestamped: Wed May 14 21:12:56 2014
> Timestamp Verified by:
> Issued to: DigiCert Assured ID Root CA
> Issued by: DigiCert Assured ID Root CA
> Expires: Sun Nov 09 18:00:00 2031
> SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
>
> Issued to: DigiCert Assured ID CA-1
> Issued by: DigiCert Assured ID Root CA
> Expires: Tue Nov 09 18:00:00 2021
> SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117
>
> Issued to: DigiCert Timestamp Responder
> Issued by: DigiCert Assured ID CA-1
> Expires: Tue Jun 03 18:00:00 2014
> SHA1 hash: 766489C6D10DC60904E1158E9CC8BE6D4E5EFB53
>
> Cross Certificate Chain:
> Issued to: Microsoft Code Verification Root
> Issued by: Microsoft Code Verification Root
> Expires: Sat Nov 01 07:54:03 2025
> SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
>
> Issued to: DigiCert High Assurance EV Root CA
> Issued by: Microsoft Code Verification Root
> Expires: Thu Apr 15 13:55:33 2021
> SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
>
> Issued to: DigiCert High Assurance Code Signing CA-1
> Issued by: DigiCert High Assurance EV Root CA
> Expires: Tue Feb 10 06:00:00 2026
> SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
>
> Issued to: Travis Lee Robinson
> Issued by: DigiCert High Assurance Code Signing CA-1
> Expires: Wed Jun 21 06:00:00 2017
> SHA1 hash: 3DFF2D903F971878D48EA5FA3BFDF86D66EEAB21
>
>
>
>
> –
> Xiaofan
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Xiaofan Chen wrote:

Travis (developer of libusb-win32/libusbK project) bought the following cert
from Digicert back in 2014 which will expire in 2017. It seems to be using
SHA1. Does it mean this will not work for Windows 10 signing now?

No, this certificate and the traditional cross-signing approach will
continue to work just fine until it expires in 2017.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.