Update to add SHA-2 code signing support for Windows Server 2008 SP2

Applies to: Windows Server 2008 Service Pack 2

Summary


This update provides support for the Secure Hash Algorithm-2 (SHA-2) code signing and verification functionality in the 64-bit version of Windows Server 2008 Service Pack 2 (SP2) which includes the following:

  • Support for multiple signatures on Cabinet (CAB) files.
  • Support for multiple signatures for Windows PE files.
  • Support for viewing multiple digital signatures by upgrade the user interface (UI).
  • Support for verifying RFC3161 timestamps to the Code Integrity component that verifies signatures in the kernel.
  • Support for various application programming interfaces (APIs), which include CertIsStrongHashToSign, CryptCATAdminAcquireContext2 and CryptCATAdminCalcHashFromFileHandle2.

The Secure Hash Algorithm (SHA) was developed for use with the Digital Signature Algorithm (DSA) or the Digital Signature Standard (DSS). It would generate a 160-bit hash value. But the known weakness of SHA-1 exposes itself to collision attacks which allow for an attacker to generate additional certificates that have the same digital signature as an original. For more information about SHA-1, see Hash and Signature Algorithms.

How to get this update


Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Update Information


Prerequisites

To install this update, you must have Windows Server 2008 SP2 64-bit installed.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

More information


Your system will continue to support SHA-1 operations without changes to that support. The SHA-2 support is being made available in advance of Microsoft changing Windows updates to move away from SHA-1 signatures and move completely to SHA-2 signatures. The release of this SHA-2 support is the first step in that transition. At a later date, this support will become mandatory in order to facilitate the switch to SHA-2 signed updates for Windows Server 2008 SP2.

RFC3161 defines the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) and describes the format of requests and responses to a Time Stamping Authority (TSA). The TSA can be used to prove that a digital signature was generated during the validity period of a public key certificate, see X.509 Public Key Infrastructure.

In public key cryptography, one of the keys, known as the private key, must be kept in secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to telling the world to whom the key belongs. Digital certificates give you a way to do this.

A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with some basic information (who owns it, what it can be used for, when it expires, and so on). For more information, see Understanding Public Key Cryptography and Digital Certificates.

Digital certificates are primarily used to verify the identity of a person or device, authenticate a service, or encrypt files. Usually, you don't have to think about certificates at all, other than the occasional message that states a certificate is expired or invalid. In these cases, one should follow the instructions that are provided in the message.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


Learn about the terminology that Microsoft uses to describe software updates.