#18287: Use SHA-2 signature for Tor Browser setup executables ------------------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: enhancement | Status: assigned Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-security, TorBrowserTeam201802 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------------------------+--------------------------
Comment (by cypherpunks): Replying to [comment:2 gk]: > Today a Windows users showed up on IRC and said they needed a 64bit Tor Browser because the stable 32bit one is not working on Windows 10 USN due to missing WoW64 ("The subsystem needed to support the image type is not present"). WTF is "USN"? And, yes, 32-bit apps aren't working on Linux or Windows 64-bit without 32-bit subsystem. > Furthermore, it turns out that the SHA1 signature we have on our .exe files is not valid on that system either: it wants a SHA2 one as SHA1 ones have been deprecated in Windows 10 USN and giving a unknown publisher yellow UAC error now. SHA-2 where? All Firefox .exes in https://www.mozilla.org/en- US/firefox/new/ have the same kind of signatures as TBB. > I wonder what that USN version is about and whether we could skip the dual-signing dance with `osslsigncode` and just provide a SHA2 signature given that we switch soon away from supporting XP and Vista anyway. You've already switched to SHA-2 signatures as Firefox 44 and don't provide SHA-1 ones for outdated XP and Vista versions. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs