Re: Oh noes! We've only got 5 years!
Actually you may have fewer than that. See http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx.
Starting in 2017, MS may stop accepting code signing certificates using the SHA-1 algorithm. Now, whilst Win7 is happy to support SHA-256 for applications, its kernel only recognises SHA-1. Consequently, if you want to sign a driver after 2016, you will need a certificate that was issued (using the SHA-1 algorithm) before 2017.
I assume that MS will issue themselves a signing certificate soon (if they haven't already) that has a decade or so of validity, but third-party vendors will be affected. Since certificate vendors variously offer 1, 2 or 3-year validity on their stuff, driver vendors who don't notice the date may find that their last remaining SHA-1 cert has expired (in Jan 2018, say) and they are therefore *unable* to issue driver updates for Win7. (At least, not without also explaining to end-users how to fiddle with their system to tolerate unsigned kernel code.)
The security landscape for Win7 could start getting interesting well before the 2020 cut-off.
(Edit: I'm assuming MS can't/won't retrofit SHA-256 to the Win7 kernel, since if that was possible/economic, it would have made sense to do so before they announced the deprecation of SHA-1. I also note that the same argument applies to Server 2008 R2.)