This is more of a product distribution question than a security question, but it seems similar enough that it felt like a reasonable start.
Firefox.exe is Authenticode-signed using only a SHA-1-based digest. The Timestamp Authority that it uses in this signature (http://timestamp.verisign.com/scripts/timstamp.dll) is so old that its RSA signatures are not PKCS#1 conforming (they utilize the raw digest value instead of the DigestInfo version of the digest), and also based on SHA-1. Since all of the versions of Windows that Microsoft supports support SHA-2 based Authenticode and SHA-2 based RFC3161-compliant timestamping, it seems like there shouldn't really be a reason to hang on to SHA-1 signing for the product distribution. (If nothing else, please move to a newer TSA, since the inability to validate the signature with certain platforms is what prompted this inquiry) -Jeremy Barton Cryptography and Security, .NET Platform _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
