[tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 20 15:04:11 UTC 2020 

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  gk
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-sign, tbb-security, tbb-8.5,     |  Actual Points:
  GeorgKoppen202004, TorBrowserTeam202004R       |
Parent ID:  #33168                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  assigned => needs_review
 * keywords:
     tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
     TorBrowserTeam201907
     =>
     tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
     TorBrowserTeam202004R


Comment:

 Replying to [comment:6 gk]:
 > Not to self: we likely need to adapt my patch for `osslsigncode` so that
 the `-h` option is available for the `add` command as well.

 Yes, that is needed (among other things). It took me longer to figure this
 issue out because I got confused. While `osslsigncode verify` shows the
 certs in the SHA-1 Authenticode scenario it does not show them when
 switching to RFC 3161 mode with SHA-256 which sent me digging into wrong
 direction. Not sure if that's an `osslsigncode` bug or not.

 Either way, one can extract the signature with `osslsigncode extract-
 signature` and then inspect the nitty-gritty details with `openssl pkcs7`
 and the SHA-256 timestamp is visible. I uploaded a test file for further
 inspection if needed:

 https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe
 https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe.asc

 `bug_29614` (https://gitweb.torproject.org/user/gk/tor-browser-
 spec.git/commit/?h=bug_29614&id=26d833f346d9d7bf795fe1cec819555595d739f1)
 in my public `tor-browser-spec` repo contains the updated
 documentation/patch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29614#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list