Symantec will stop using SHA1 RFC 3161 in favour of the SHA256 RFC 3161

At the end of January 2017 Symantec will stop using timestamp-service SHA1 RFC 3161. Signing of Java-based applications will be carried out using SHA256 code signing certificate with a timestamp, set by SHA256 RFC service from Symantec.

In the near future, Oracle plans to abandon support for SHA1-signing and SHA1-timestamping for Java-based applications. This will not affect Java-based applications that were previously signed SHA1, they will operate as usual, but Java-based applications, signed or marked with SHA1 after Oracle’s announced date, can be not trusted.

Taking into account the direction of Oracle movement and a general refusal of support SHA1 by the industry, Symantec will stop using SHA1 RFC 3161 timestamp-service by the end of January 2017. Symantec will move to its own SHA256 RFC 3161 service.