diff --git a/NEWS.md b/NEWS.md
index 2576984..aee5ad9 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -2,6 +2,8 @@
 
 ### 2.4 (unreleased)
 
+- set the default message digest to sha256
+
 ### 2.3 (2022.03.06)
 
 **CRITICAL SECURITY VULNERABILITIES**
diff --git a/osslsigncode.c b/osslsigncode.c
index d24bf0d..fbc0cd9 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -5603,7 +5603,7 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
 		argv++;
 		argc--;
 	}
-	options->md = EVP_sha1();
+	options->md = EVP_sha256();
 	options->signing_time = INVALID_TIME;
 	options->jp = -1;