%3CLINGO-SUB%20id%3D%22lingo-sub-1544373%22%20slang%3D%22en-US%22%3ESHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1544373%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20support%20evolving%20industry%20security%20standards%2C%20and%20continue%20to%20keep%20you%20protected%20and%20productive%2C%20Microsoft%20will%20retire%20content%20that%20is%20Windows-signed%20for%20Secure%20Hash%20Algorithm%201%20(SHA-1)%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fwindows.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Download%20Center%3C%2FA%3E%20on%20August%203%2C%202020.%20This%20is%20the%20next%20step%20in%20our%20continued%20efforts%20to%20adopt%20Secure%20Hash%20Algorithm%202%20(SHA-2)%2C%20which%20better%20meets%20modern%20security%20requirements%20and%20offers%20added%20protections%20from%20common%20attack%20vectors.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESHA-1%20is%20a%20legacy%20cryptographic%20hash%20that%20many%20in%20the%20security%20community%20believe%20is%20no%20longer%20secure.%20Using%20the%20SHA-1%20hashing%20algorithm%20in%20digital%20certificates%20could%20allow%20an%20attacker%20to%20spoof%20content%2C%20perform%20phishing%20attacks%2C%20or%20perform%20man-in-the-middle%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20no%20longer%20uses%20SHA-1%20to%20authenticate%20Windows%20operating%20system%20updates%20due%20to%20security%20concerns%20associated%20with%20the%20algorithm%2C%20and%20has%20provided%20the%20appropriate%20updates%20to%20move%20customers%20to%20SHA-2%20as%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4472027%2F2019-sha-2-code-signing-support-requirement-for-windows-and-wsus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epreviously%20announced%3C%2FA%3E.%20Accordingly%2C%20beginning%20in%20August%202019%2C%20devices%20without%20SHA-2%20support%20have%20not%20received%20Windows%20updates.%20If%20you%20are%20still%20reliant%20upon%20SHA-1%2C%20we%20recommend%20that%20you%20move%20to%20a%20currently%20supported%20version%20of%20Windows%20and%20to%20stronger%20alternatives%2C%20such%20as%20SHA-2.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1544373%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20support%20evolving%20industry%20security%20standards%2C%20Microsoft%20is%20retiring%20content%20that%20is%20Windows-signed%20for%20SHA-1.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mobile-worker-02.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208633iF07F02B48DFCBA5D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mobile-worker-02.PNG%22%20alt%3D%22mobile-worker-02.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1544373%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553782%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553782%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20Let's%20see%20if%20I've%20got%20this%20article%20right%3A%20Downloadable%20contents%20are%20going%20to%20disappear%20from%20the%20Microsoft%20website%2C%20if%20their%20digital%20certificate%20is%20using%20a%20SHA-1%20digest.%20Am%20I%20right%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554608%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554608%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%20that%20number%20of%20Office%202010%20%2F%202013%20(and%20even%202016)%20MSI%20updates%20are%20removed%20from%20Download%20Center%3C%2FP%3E%3CP%3Ethose%20the%20global%20exe%20installers%20without%20any%20alternative%2C%26nbsp%3Band%20most%20of%20those%20updates%20are%20dual%20signed%20(sha1%2Fsha256)%20anyway%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebad%20decision%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1557327%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557327%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20we%20assume%20all%20XP%20and%202003%20updates%20gone%20then%3F%26nbsp%3B%20How%20long%20were%20Windows%207%20and%202008%2F2008%20R2%20updates%20dual%20signed%3F%26nbsp%3B%20Can%20we%20get%20a%20breakdown%20by%20products%2C%20maybe%20with%20dates%20or%20years%20to%20know%20what%20will%20be%20removed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1557409%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557409%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164300%22%20target%3D%22_blank%22%3E%40Sean%20Andrews%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CSPAN%3EWindows%207%20updates%20are%20dual%20signed%20since%20late%20April%202012%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eand%20most%20of%20the%20same%20updates%20files%20exist%20in%20Microsoft%20Update%20Catalog%20(its%20links%20don't%20usually%20stop%20working%20even%20if%20the%20update%20entry%20is%20removed%2Fexpired%20from%20catalog)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eunlike%20Office%20updates%26nbsp%3Bglobal%20exe%20installers%2C%20they%20only%20exist%20in%20Download%20Center%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558737%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558737%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F739276%22%20target%3D%22_blank%22%3E%40Namrata_Bachwani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20it%20impact%20all%20the%20.NET%20downloads%20available%20in%20the%20Download%20Center%3F%3C%2FP%3E%3CP%3EWhat%20does%20retirement%20mean%3F%20They%20will%20no%20longer%20be%20available%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558830%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558830%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20sharing.%3C%2FP%3E%3CP%3EI%20hope%20this%20process%20would%20be%20smooth%20and%20reliable%20so%20users%20won't%20see%20much%20difference%20and%20we%20have%20to%20be%20careful%20of%20message%20like%20certificate%20is%20invalid.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569992%22%20slang%3D%22en-US%22%3ERe%3A%20SHA-1%20Windows%20content%20to%20be%20retired%20August%203%2C%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569992%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20good%20news%3C%2FP%3E%3C%2FLINGO-BODY%3E

To support evolving industry security standards, and continue to keep you protected and productive, Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020. This is the next step in our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors.

 

SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

 

Microsoft no longer uses SHA-1 to authenticate Windows operating system updates due to security concerns associated with the algorithm, and has provided the appropriate updates to move customers to SHA-2 as previously announced. Accordingly, beginning in August 2019, devices without SHA-2 support have not received Windows updates. If you are still reliant upon SHA-1, we recommend that you move to a currently supported version of Windows and to stronger alternatives, such as SHA-2.

7 Comments
Senior Member

Hi. Let's see if I've got this article right: Downloadable contents are going to disappear from the Microsoft website, if their digital certificate is using a SHA-1 digest. Am I right?

Contributor

I see that number of Office 2010 / 2013 (and even 2016) MSI updates are removed from Download Center

those the global exe installers without any alternative, and most of those updates are dual signed (sha1/sha256) anyway

 

bad decision

Visitor

Can we assume all XP and 2003 updates gone then?  How long were Windows 7 and 2008/2008 R2 updates dual signed?  Can we get a breakdown by products, maybe with dates or years to know what will be removed?

Contributor

@Sean Andrews  Windows 7 updates are dual signed since late April 2012

and most of the same updates files exist in Microsoft Update Catalog (its links don't usually stop working even if the update entry is removed/expired from catalog)

unlike Office updates global exe installers, they only exist in Download Center

Regular Visitor

@Namrata_Bachwani 

Does it impact all the .NET downloads available in the Download Center?

What does retirement mean? They will no longer be available?

Super Contributor

Thank you for sharing.

I hope this process would be smooth and reliable so users won't see much difference and we have to be careful of message like certificate is invalid.

Honored Contributor

That's good news