Microsoft removes all downloads of Windows from the Microsoft Download Center signed using SHA-1 certificates on August 3, 2020.
Ο algorithm SHA-1 was commonly used to code sign executable files, and TLS and SSL certificates are used on websites to authenticate an issuer.
In 2015, security researchers published a report which describes in detail how SHA-1 is vulnerable to attacks that could allow intruders to forge digital certificates to impersonate a company or other site.
These forgeries could then be used in phishing attacks, corporate forgeries or man-in-the-middle attacks.
Due to problems with certificates SHA-1, Microsoft and other developers are starting to use them and demand its use SHA-2 to install Windows updates.
In a new newsletter published yesterday, Microsoft says it is pulling all Secure Hash 1 (SHA-1) signed Windows content from the Microsoft Download Center for more better safety.
“SHA-1 is one old cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 algorithm in digital certificates could allow an attacker to spoof content, perform phishing or man-in-the-middle attacks.”
Note that although Microsoft only supports signed content with SHA-2 in official content, Windows executables signed with SHA-1 will still be able to run on the operating system.
So if you have previously signed archives with SHA-1 and you still use them, you should download them before the remove Microsoft on August 3.