%3CLINGO-SUB%20id%3D%22lingo-sub-625803%22%20slang%3D%22en-US%22%3EHardware%20Partner%20Center%20%E2%80%93%20SHA%201%20signing%20deprecation%20notice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-625803%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20align%20with%20the%20Windows%20operating%20system%20SHA-2%20Code%20Signing%20Support%20requirement%20notice%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4472027%2F2019-sha-2-code-signing-support-requirement-for-windows-and-wsus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESupport%20article%204472027%3C%2FA%3E)%2C%20Microsoft%20Hardware%20Partner%20Center%20will%20be%20moving%20to%20sign%20everything%20using%20the%20more%20secure%20SHA-2%20algorithm%20%3CEM%3Eexclusively%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20in%20late%202019%2C%20Hardware%20Partner%20Center%20will%20be%20implementing%20the%20following%20changes.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22138%22%3E%3CP%3E%3CSTRONG%3ETarget%20Date%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22335%22%3E%3CP%3E%3CSTRONG%3EEvent%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22237%22%3E%3CP%3E%3CSTRONG%3EApplies%20To%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%223%22%20width%3D%22138%22%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3ENovember%202019%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22335%22%3E%3CP%3ELegacy%20Windows%20code%20signing%20services%20will%20be%20%3CSTRONG%3Eretired%3C%2FSTRONG%3E%20for%20the%20following%20operating%20systems%20as%20they%20are%20no%20longer%20in%20support.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22237%22%3E%3CP%3EWindows%202000%3C%2FP%3E%0A%3CP%3EWindows%20XP%3C%2FP%3E%0A%3CP%3EWindows%20Server%202003%3C%2FP%3E%0A%3CP%3EWindows%20Vista%20Client%3C%2FP%3E%0A%3CP%3EWindows%20Vista%20Client%20x64%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22335%22%3E%3CP%3EAll%20other%20in%20scope%20OS%20%3CSTRONG%3Esubmission%20workflows%20%3C%2FSTRONG%3E(ie%3A%20Test-signing%2C%20WLK%2C%20HCK%2C%20and%20HLK)%20will%20be%20signed%20with%20%3CEM%3ESHA-2%20only%20%3C%2FEM%3E(binaries%20and%20catalog)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22237%22%3E%3CP%3EWindows%207%3C%2FP%3E%0A%3CP%3EWindows%20Server%202008%20R2%20Windows%20Server%202008%3C%2FP%3E%0A%3CP%3EWindows%20Server%202008%20x64%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22335%22%3E%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CSTRONG%3ENo%20Change%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22237%22%3E%3CP%3EAttestation%2C%20UEFI%20%26amp%3B%20LSA%20signing%20is%20unaffected%20and%20already%20exclusively%20uses%20SHA-2.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22710%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDrivers%20signed%20after%20this%20date%20may%20require%20the%20Security%20updates%20outlined%20in%20%E2%80%9C%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4472027%2F2019-sha-2-code-signing-support-requirement-for-windows-and-wsus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESupport%20article%204472027%3C%2FA%3E%E2%80%9D%20for%20them%20to%20load.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CH1%20id%3D%22toc-hId-1957614947%22%20id%3D%22toc-hId-1957615044%22%3EShipping%20Labels%20and%20Windows%20Update%3A%3C%2FH1%3E%0A%3CP%3EPreviously%20published%20Windows%20Updates%20that%20include%20a%20SHA-1%20code-sign%20signature%20will%20continue%20to%20be%20trusted%20by%20Windows%20and%20will%20remain%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENew%3C%2FEM%3E%20and%20%3CEM%3Eedited%3C%2FEM%3E%20Windows%20Update%20shipping%20labels%20that%20are%20created%20after%20this%20change%20will%20only%20be%20available%20to%20systems%20that%20are%20running%20the%20required%20security%20updates%20detailed%20in%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4472027%2F2019-sha-2-code-signing-support-requirement-for-windows-and-wsus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESupport%20article%204472027%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--594542014%22%20id%3D%22toc-hId--594541917%22%3EFAQ%3A%3C%2FH1%3E%0A%3CP%3E%3CSPAN%3EHow%20will%20Partner%20Center%20sign%20my%20%3CSTRONG%3Ebinaries%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Ecatalog%3C%2FSTRONG%3E%20(.CAT)%20after%20this%20change%3F%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22710%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22295%22%3E%3CP%3EWindows%207%2FServer%202008%20R2%20and%20lower%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22178%22%3E%3CP%3EWindows%208%2F8.1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22237%22%3E%3CP%3EWindows%2010%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22710%22%3E%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CSTRONG%3ESHA-2%20only%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWill%20Hardware%20Partner%20Center%20still%20accept%20binaries%20that%20are%20signed%20with%20SHA-1%20or%20that%20include%20a%20SHA-1%20PE%20signature%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYES.%26nbsp%3B%26nbsp%3B%20There%20is%20no%20change%20from%20how%20things%20are%20currently%20processed.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWill%20Hardware%20Partner%20Center%20start%20accepting%20SHA-2%20signed%20binaries%20for%20submissions%20that%20target%20Windows%207%20and%20lower%20after%20this%20change%3F%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYES.%26nbsp%3B%26nbsp%3B%20Starting%20in%20November%202019%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Partner%20Center%20Dashboard%20and%20Driver%20Submission%20support%2C%20please%20open%20a%20support%20ticket%20via%3A%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2038065%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2038065%3C%2FA%3E%20Be%20sure%20you%20are%20signed%20in%20using%20the%20same%20user%20account%20used%20on%20Partner%20Center.%20%26nbsp%3B%26nbsp%3BSelect%20%3CSTRONG%3EContact%20us%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EDashboard%20issue%3C%2FSTRONG%3E%2C%20and%20then%20%3CSTRONG%3EHardware%20submissions%20%26amp%3B%20signing%20(all%20OS%20version)%3C%2FSTRONG%3E%20from%20the%20drop-down.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20questions%20about%20OS%20behavior%20or%20other%20OS%20and%20driver%20interoperability%20questions%20refer%20to%20the%20support%20article.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-625803%22%20slang%3D%22en-US%22%3E%3CP%3EStarting%20in%20November%202019%2C%20Hardware%20Partner%20Center%20will%20be%20moving%20to%20sign%20everything%20using%20the%20more%20secure%20SHA-2%20algorithm%20%3CEM%3Eexclusively%3C%2FEM%3E.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

To align with the Windows operating system SHA-2 Code Signing Support requirement notice (Support article 4472027), Microsoft Hardware Partner Center will be moving to sign everything using the more secure SHA-2 algorithm exclusively.

 

Starting in late 2019, Hardware Partner Center will be implementing the following changes. 

 

Target Date

Event

Applies To

 November 2019

Legacy Windows code signing services will be retired for the following operating systems as they are no longer in support.

Windows 2000

Windows XP

Windows Server 2003

Windows Vista Client

Windows Vista Client x64

All other in scope OS submission workflows (ie: Test-signing, WLK, HCK, and HLK) will be signed with SHA-2 only (binaries and catalog)

Windows 7

Windows Server 2008 R2 Windows Server 2008

Windows Server 2008 x64

No Change

Attestation, UEFI & LSA signing is unaffected and already exclusively uses SHA-2.

 

 

Drivers signed after this date may require the Security updates outlined in “Support article 4472027” for them to load.

Shipping Labels and Windows Update:

Previously published Windows Updates that include a SHA-1 code-sign signature will continue to be trusted by Windows and will remain available.

 

New and edited Windows Update shipping labels that are created after this change will only be available to systems that are running the required security updates detailed in Support article 4472027

FAQ:

How will Partner Center sign my binaries and catalog (.CAT) after this change?

 

Windows 7/Server 2008 R2 and lower

Windows 8/8.1

Windows 10

SHA-2 only

 

Will Hardware Partner Center still accept binaries that are signed with SHA-1 or that include a SHA-1 PE signature?

  • YES.   There is no change from how things are currently processed.

 

Will Hardware Partner Center start accepting SHA-2 signed binaries for submissions that target Windows 7 and lower after this change?  

  • YES.   Starting in November 2019

 

For Partner Center Dashboard and Driver Submission support, please open a support ticket via: https://go.microsoft.com/fwlink/?linkid=2038065 Be sure you are signed in using the same user account used on Partner Center.   Select Contact us, Dashboard issue, and then Hardware submissions & signing (all OS version) from the drop-down.

 

For questions about OS behavior or other OS and driver interoperability questions refer to the support article.