#34368: Improve authenticode-signing script to better check for a signature ------------------------------------------+---------------------- Reporter: gk | Owner: tbb-team Type: enhancement | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Keywords: tbb-sign Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ------------------------------------------+---------------------- Our current `authenticode-signing.sh` script checks two things at the moment:
1) Whether a .exe is still unsigned 2) Whether removing a signature (using `osslsigncode remove-signature`) is producing the same SHA-256 sum as outlined in the SHA-256 sums file. If both conditions hold it concludes that the bundles are properly signed. There are ways for improvement here. While I think it's important to check that removing the signature provides the expected unsigned SHA-256 we could try to check the signature directly. `osslsigncode verify -require-leaf-hash` comes to mind. We should investigate, though, how that behaves in case of truncated/broken signatures or no signatures at all. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34368> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs