Notice on Support for Signature Algorithm "SHA-256"

Last updated on 5/Dec/2017

Upon receiving Microsoft’s "Policy to Deprecate the SHA-1 Signature Algorithm and Transition to SHA-2," we are providing patches and service packs ("SP") signed with the "SHA-256 signature algorithm" based on the following policy in order to enhance security for the "affected features" of our SVF products.

Affected Features
- Environment Settings for SVF Java PRODUCTS
   - SVF Server Management Utility (*Ver.9.0 and later)
   - PDF Encryption Calculator (only SVF for PDF)
- SVF Spooler (* Ver. 9.0 or later)
- Report Director Enterprise Configurator
- Report Director Enterprise Utility
- ActiveX Plugin for RDE (only CAB format) (*Prior to Ver.8.2)
- Universal Connect/X Manager
- SVF for Web/Client (only CAB format)

Affected Patch Installer
- SVF Connect for .NET Framework API
- NET Output Engine patch installer
- RDE ActiveX installer
- UCXSingle (.NET edition)
- SVF for Web/Client msi installer
- SVF Client for .NET Framework API
- SVF Client for .NET Framework API Plus
- SVF Form Export for FiBridge Ⅱ
- SVF Form Export for FX-STDOUT
- SVF Form Export PlainTXT2
- SVF Form Export PIFVIEWER
- SVF Form Export FOG

<About Our Policy for Providing SHA-256 Signatures in SVF Products>
1. Versions for which we provide only modules signed with the SHA-256 algorithm

(*1) Only modules signed with "SHA-256 signature algorithm" will be provided for SPs and patches created after January 1st, 2016.
(*2) If the module signed with "SHA-256 signature algorithm" is applied to an environment that do not meet the minimum requirements for SHA-256 certificates, a warning appears at initial startup. For details, see the following FAQ.
FAQ 4981: A warning message "The digital signature in the application cannot be verified. Are you sure to run this application?" is displayed.

2. Versions for which we provide modules signed with the SHA-256 algorithm after the default signature algorithm was set to SHA-1.

(*3) For patches created after January 1st, 2016, we provide the module signed with "SHA-1 signature algorithm" as the default. If you want to request a "patch signed with the SHA-256 signature algorithm" (*5), inform our support when you request the patch.
(*4) You can now choose whether to apply the "module signed with the SHA-1 signature algorithm (default)" or to apply the "module signed with the SHA-256 signature algorithm" in migration tools SP4 or later (*5). The selected signature algorithm is applied to all features in the table above.
(*5) If you choose "module signed with SHA-256 signature algorithm," the following restrictions apply.
- In environments earlier than Windows Vista, use of the "Feature" in the table above is not supported.
- To use affected features (excluding ActiveX plugin for RDE and SVF for Web/Client) in Windows 7, the PC must have .NET Framework 4.5 or later installed.

3. Products with patches and SPs released as installers

(*6) Only installers signed with "SHA-256 signature algorithm" will be provided for SPs and patches created after January 1st, 2016.
(*7) Windows Server 2008 and Windows Vista do not support SHA-256 signature algorithms, so the following restrictions apply. There are no issues with the features or behavior of installed applications.
- If you check Setup properties, "No digital signature detected for the object." is displayed in the digital signature information.
- "WARNING" is displayed in the install wizard.
- "Unidentified Publisher" is displayed in the "User Account Control" dialog on Windows Vista.

Example: "WARNING" in install wizard


Microsoft’s "Policy to Deprecate the SHA-1 Signature Algorithm and Transition to SHA-2" (as of December 2015)
November 13th, 2013 - Due to security risks associated with vulnerabilities of SHA-1 certificates, Microsoft has announced their policy "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program (https://technet.microsoft.com/en-us/library/security/2880823.aspx)." In accordance with that announcement, the following measures are also expected.

• Companies participating in Microsoft's Root Certificate Program will not be able to issue SHA-1 code signing certificates for use in an OS other than Windows Vista / Windows Server 2008.
• SHA-1 code signing certificates issued after January 1st, 2016 cannot be used in Windows 7 / Windows Server 2008 R2 or later OS.
• OS that support SHA-2 include Windows 7 / Windows Server 2008 R2 and later OS. SHA-2 support for Windows Vista / Windows Server 2008 and earlier OS is not expected.
• To run ClickOnce applications signed with a SHA-2 certificate, a Runtime of .NET Framework 4.5 or higher must be installed. Note: Since the OS Runtime included in Windows 7 / Windows Server 2008 R2 is .NET Framework 3.5 SP1, the latest Runtime from .NET Framework 4.5 or later needs to be installed.
• Time-stamped SHA-1 certificates issued before December 31st, 2015 can still be used until January 14th, 2020 - the date when limited extended support for Windows Server 2008 ends - even in Windows 7 / Windows Server 2008 R2 and later OS. However, the end date of the period of use may be earlier than indicated, depending on the risk status of SHA-1.

[SHA-1 Certificate Policy for Windows 7 / Windows Server 2008 R2 and later OS]