Hi @astle, I think this is the right category
You're correct - this is an erroneous finding. I'm not sure if there is a "definitive" reference, but the signature on the root certificate is not validated the same way a signature on an intermediate or leaf certificate is and the SHA1 deprecation by Google/Mozilla does not apply. You can find information confirming this in a few places, e.g:
- Do You Need SHA-2 Signed Root Certificates? - Entrust Blog
- ssl - Why are Root CAs with SHA1 signatures not a risk - Super User
- ssl - Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)? - Server Fault
- SHA1 Deprecation: What You Need to Know | Qualys Security Blog
Edit: here's another answer I provided a user in the forum with the same question: SHA-1 signed certificate in chain - #2 by cpu