All file downloads signed with the Secure Hash Algorithm 1 (SHA-1) are considered insecure and will be removed from Microsoft Download Center on August 3, 2020.
The SHA-1 algorithm was commonly used to code-sign executables and TLS and SSL certificates used on web sites to authenticate a publisher's legitimacy. A theoretical description of cracking SHA-1 hash functions was published back in 2005, but in practice the attack was only carried out 12 years later. In 2017, scientists for the first time managed to create two files with the same SHA-1 hash. The attack was dubbed SHAttered.
Due to issues with SHA-1 certificates, Microsoft and other developers have moved away from SHA-1 and now require SHA-2 to be used to install Windows updates.
“To support evolving industry security standards, and continue to keep you protected and productive, Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020. This is the next step in our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors”, — the company said.
According to Microsoft, SHA-1 is outdated, and many in the information security community consider it insecure. Using the SHA-1 in digital certificates can allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.