[tor-bugs] #34368 [Applications/Tor Browser]: Improve authenticode-signing script to better check for a signature
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 3 08:14:24 UTC 2020
#34368: Improve authenticode-signing script to better check for a signature
------------------------------------------+----------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords: tbb-sign
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Our current `authenticode-signing.sh` script checks two things at the
moment:
1) Whether a .exe is still unsigned
2) Whether removing a signature (using `osslsigncode remove-signature`) is
producing the same SHA-256 sum as outlined in the SHA-256 sums file.
If both conditions hold it concludes that the bundles are properly signed.
There are ways for improvement here. While I think it's important to check
that removing the signature provides the expected unsigned SHA-256 we
could try to check the signature directly.
`osslsigncode verify -require-leaf-hash` comes to mind. We should
investigate, though, how that behaves in case of truncated/broken
signatures or no signatures at all.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34368>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list