---
checkId: check.timestamp.evidence.tst.deprecated-algo
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, evidence, tst, algorithm, deprecated]
---
# TST Deprecated Algorithms

## What It Checks
Detects timestamps using deprecated hash algorithms (default: SHA1). Fails if the count exceeds the critical threshold (default 10), otherwise warns.

## Why It Matters
Timestamps using deprecated algorithms like SHA1 are vulnerable to collision attacks. Compliance frameworks (eIDAS, FIPS) may reject evidence signed with deprecated algorithms, blocking release attestation verification.

## Common Causes
- Legacy artifacts timestamped with older TSA configurations
- TSA provider still using SHA1 by default
- Migration to SHA-256 not yet completed

## How to Fix
Re-timestamp affected artifacts using approved algorithms:

```bash
stella retimestamp run --algorithm SHA256 --filter deprecated-algo
```

Ensure TSA providers are configured to use SHA-256 or stronger.

## Verification
```
stella doctor run --check check.timestamp.evidence.tst.deprecated-algo
```

## Related Checks
- `check.timestamp.evidence.staleness` — aggregated evidence staleness check
- `check.timestamp.tsa.valid-response` — verifies TSA returns valid responses