You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/01/24 09:44:24 UTC
[tomcat] branch master updated: Ensure Windows signing uses sha256
hash
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 7bb9eec Ensure Windows signing uses sha256 hash
7bb9eec is described below
commit 7bb9eeced9522058796c3dfdc759e3f5eedb258d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sun Jan 24 09:42:06 2021 +0000
Ensure Windows signing uses sha256 hash
---
build.xml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/build.xml b/build.xml
index 32142c8..be0f1da 100644
--- a/build.xml
+++ b/build.xml
@@ -2575,6 +2575,8 @@ skip.installer property in build.properties" />
<arg value="sign"/>
<arg value="/sha1"/>
<arg value="${codesigning.certificate.thumbprint}"/>
+ <arg value="/fd"/>
+ <arg value="sha256"/>
<arg value="/tr"/>
<arg value="http://timestamp.digicert.com"/>
<arg value="${tomcat.dist}/Uninstall.exe"/>
@@ -2605,6 +2607,8 @@ skip.installer property in build.properties" />
<arg value="sign"/>
<arg value="/sha1"/>
<arg value="${codesigning.certificate.thumbprint}"/>
+ <arg value="/fd"/>
+ <arg value="sha256"/>
<arg value="/tr"/>
<arg value="http://timestamp.digicert.com"/>
<arg value="${tomcat.release}/v${version}/bin/${final.name}.exe"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Ensure Windows signing uses
sha256 hash
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 1/26/21 14:10, Mark Thomas wrote:
> On 26/01/2021 13:20, Mark Thomas wrote:
>> On 25/01/2021 15:04, Christopher Schultz wrote:
>
> <snip/>
>
>>> I see there is a /sha1 option on the command as well. Does that mean
>>> that SHA1 is also being performed?
>>
>> No.
>>
>>> Is it required?
>>
>> Yes. It is how we ID the certificate /key to sign with.
>>
>>> We abandoned SHA-1 (and SHA-256 for that matter) for the signatures we
>>> put on our web sites some time ago. Is it possible to use SHA-512 for
>>> these signatures as well?
>>
>> A quick hunt around the internet suggests using SHA-512 signatures
>> should be possible. However, that was with a local key. The DigiCert
>> signing using a custom library to access the keys remotely. Let me run a
>> test...
>
> Yep. That worked. Thanks for spotting this. I've updated the build scripts.
;)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Ensure Windows signing uses
sha256 hash
Posted by Mark Thomas <ma...@apache.org>.
On 26/01/2021 13:20, Mark Thomas wrote:
> On 25/01/2021 15:04, Christopher Schultz wrote:
<snip/>
>> I see there is a /sha1 option on the command as well. Does that mean
>> that SHA1 is also being performed?
>
> No.
>
>> Is it required?
>
> Yes. It is how we ID the certificate /key to sign with.
>
>> We abandoned SHA-1 (and SHA-256 for that matter) for the signatures we
>> put on our web sites some time ago. Is it possible to use SHA-512 for
>> these signatures as well?
>
> A quick hunt around the internet suggests using SHA-512 signatures
> should be possible. However, that was with a local key. The DigiCert
> signing using a custom library to access the keys remotely. Let me run a
> test...
Yep. That worked. Thanks for spotting this. I've updated the build scripts.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Ensure Windows signing uses
sha256 hash
Posted by Mark Thomas <ma...@apache.org>.
On 25/01/2021 15:04, Christopher Schultz wrote:
> Mark,
>
> On 1/24/21 04:44, markt@apache.org wrote:
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> markt pushed a commit to branch master
>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>> The following commit(s) were added to refs/heads/master by this push:
>> new 7bb9eec Ensure Windows signing uses sha256 hash
>> 7bb9eec is described below
>>
>> commit 7bb9eeced9522058796c3dfdc759e3f5eedb258d
>> Author: Mark Thomas <ma...@apache.org>
>> AuthorDate: Sun Jan 24 09:42:06 2021 +0000
>>
>> Ensure Windows signing uses sha256 hash
>> ---
>> build.xml | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/build.xml b/build.xml
>> index 32142c8..be0f1da 100644
>> --- a/build.xml
>> +++ b/build.xml
>> @@ -2575,6 +2575,8 @@ skip.installer property in build.properties" />
>> <arg value="sign"/>
>> <arg value="/sha1"/>
>> <arg value="${codesigning.certificate.thumbprint}"/>
>> + <arg value="/fd"/>
>> + <arg value="sha256"/>
>
> I see there is a /sha1 option on the command as well. Does that mean
> that SHA1 is also being performed?
No.
> Is it required?
Yes. It is how we ID the certificate /key to sign with.
> We abandoned SHA-1 (and SHA-256 for that matter) for the signatures we
> put on our web sites some time ago. Is it possible to use SHA-512 for
> these signatures as well?
A quick hunt around the internet suggests using SHA-512 signatures
should be possible. However, that was with a local key. The DigiCert
signing using a custom library to access the keys remotely. Let me run a
test...
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Ensure Windows signing uses
sha256 hash
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 1/24/21 04:44, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this push:
> new 7bb9eec Ensure Windows signing uses sha256 hash
> 7bb9eec is described below
>
> commit 7bb9eeced9522058796c3dfdc759e3f5eedb258d
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Sun Jan 24 09:42:06 2021 +0000
>
> Ensure Windows signing uses sha256 hash
> ---
> build.xml | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/build.xml b/build.xml
> index 32142c8..be0f1da 100644
> --- a/build.xml
> +++ b/build.xml
> @@ -2575,6 +2575,8 @@ skip.installer property in build.properties" />
> <arg value="sign"/>
> <arg value="/sha1"/>
> <arg value="${codesigning.certificate.thumbprint}"/>
> + <arg value="/fd"/>
> + <arg value="sha256"/>
I see there is a /sha1 option on the command as well. Does that mean
that SHA1 is also being performed? Is it required?
We abandoned SHA-1 (and SHA-256 for that matter) for the signatures we
put on our web sites some time ago. Is it possible to use SHA-512 for
these signatures as well?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org