[tor-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 20 11:34:34 UTC 2018
#18287: Use SHA-2 signature for Tor Browser setup executables
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201802 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by cypherpunks):
Replying to [comment:2 gk]:
> Today a Windows users showed up on IRC and said they needed a 64bit Tor
Browser because the stable 32bit one is not working on Windows 10 USN due
to missing WoW64 ("The subsystem needed to support the image type is not
present").
WTF is "USN"? And, yes, 32-bit apps aren't working on Linux or Windows
64-bit without 32-bit subsystem.
> Furthermore, it turns out that the SHA1 signature we have on our .exe
files is not valid on that system either: it wants a SHA2 one as SHA1 ones
have been deprecated in Windows 10 USN and giving a unknown publisher
yellow UAC error now.
SHA-2 where? All Firefox .exes in https://www.mozilla.org/en-
US/firefox/new/ have the same kind of signatures as TBB.
> I wonder what that USN version is about and whether we could skip the
dual-signing dance with `osslsigncode` and just provide a SHA2 signature
given that we switch soon away from supporting XP and Vista anyway.
You've already switched to SHA-2 signatures as Firefox 44 and don't
provide SHA-1 ones for outdated XP and Vista versions.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list