InstallShield appears to use the default SHA-1 when signing. How is this set to the newer standard? I don't see the digest type listed in the signing options. Signtool.exe supports /fd SHA256, for example.
I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.
The point is, it is an SHA-1 encryption and this will not be valid for digital signing carried out after 01/01/2016, which presumably includes .msi files
I assume MSIs (with SHA1 only) will not be considered as signed with invalid signature if carried out this year. Even if not implicitely stated in the TechNet article. Think the Microsoft approach they did last year for e.g. the VCRedist (https://www.microsoft.com/en-us/download/details.aspx?id=48145) should be the same as if they would release the package this year. Setup.exe (and containing assemblies) signed with digest algorithm SHA1/256 and MSI with SHA1..
I mean why should they otherwise adapt signing for PE files to SHA1/256 but not for the MSI. Just my interpretation.
You make it sound like 'they' had a choice in the matter. But in fact the new signing encryption was forced on them by a security problem. I suspect that it was NOT anticipated that SHA-256 would fail on .msi files and the lack of information on the subject is because a solution still hasn't been found.
Curiously, the .msi's I've produced since the 1st January still work as do individual binaries encrypted by an SHA-1 algorithm. So it looks like the security patch meant to enforce this hasn't been deployed yet.
What I don't understand is why Flexera/InstallShield don't seem to have the first clue as to what is going on, when they should be camping on Microsoft's door demanding information.
