Per https://jira.mozilla.com/browse/RELENG-431, backwards compatibility with win7 sp0 may not be a big issue, though I'm happy to delay rollout if there are any additional concerns. I've linked sha2-signed artifacts in that ticket; we may want to have a QA pass before we decide to roll out.
On Wed, Mar 17, 2021 at 2:11 PM Aki Sasaki <a...@mozilla.com> wrote: > Per https://bugzilla.mozilla.org/show_bug.cgi?id=1697185#c4 and > https://jira.mozilla.com/browse/RELENG-429 . > > We haven't made a product-level decision here, but a) it looks like > timestamp.digicert.com may have silently EOLed sha1 timestamps since > Microsoft has EOLed sha1 signing years ago, and b) it may be the case that > changing the signature may only affect Windows 7 SP 0 users on first > install. I'm not 100% sure about the second point. > > Should we continue testing and rolling out, or pause work here until we > make a product decision? > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform