We just switched from a SHA-1 to a SHA-2 code signing certificate. (As background info, we sign .exe and .xap files on Windows with signtool.exe, using COMODO code signing certificates.) We do this using a certified timestamp, to make sure that Windows keeps trusting the code signature after the code signing certificate expires.
Now I noticed that the timestamp certificate is still a SHA-1 certificate, when using http://timestamp.comodoca.com/authenticode. (Details: It is df946a5... with Subject 'CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford, S=Greater Manchester,C=GB'.)
(On Windows one can see that certificate by taking a signed .exe, then in its Explorer Properties dialog go to the Digital Signatures tab, select the signature and click Details, then in the Digital Signature Details dialog click the counter signature and click Details, then in the second Digital Signature Details dialog click on View Certificate. The certificate is a SHA-1 certificate if its 'Signature hash algorithm' is 'sha1'.)
Will this be a problem? In other words, after our current code signing certificate has expired, and after Microsoft Windows treats SHA-1 as a broken algorithm (which is in 2020 at the latest), will our current signatures still be trusted? Or will Windows say, “The timestamp is within the code signing certificate's validity range, but the timestamp was signed with a SHA-1 certificate, so I will not trust the timestamp, and therefore I won't trust this signature”?
Is there another service we can/should use? (Not Verisign's http://timestamp.verisign.com/scripts/timstamp.dll, since they also still use a SHA-1 time stamping certificate, viz. 6543992...)
Since 1/1/2017, you can no longer use SHA-1 on Windows 7 and later (if timestamped after 1/1/2016).
This article describes how to obtain a SHA-256 timestamp certificate, using the timestamp URL http://timestamp.globalsign.com/?signature=sha2. As an alternative, see this list of timestamp servers which you can also use.
The signtool /td flag is also important (and poorly documented).
Signing like this:
signtool sign /fd SHA256 /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /a filename.exe
results in an executable with a code sign certificate and timestamp certificate with SHA-256 signature hash algorithm.