You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/09/07 14:30:03 UTC

[Bug 62696] New: Consider use of sha256 for signing of .exe files of Tomcat installer.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

            Bug ID: 62696
           Summary: Consider use of sha256 for signing of .exe files of
                    Tomcat installer.
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Packaging
          Assignee: dev@tomcat.apache.org
          Reporter: knst.kolinko@gmail.com
  Target Milestone: -----

Reviewing release candidates of Tomcat 8.5.34, 9.0.11,
apache-tomcat-8.5.34.exe
apache-tomcat-9.0.12.exe

are both signed with sha1 signatures.

I mean the following:
In Windows: open File Explorer, right-click on the file to open a menu, click
"Properties" item in the menu. In the file properties dialog see "Signatures"
tab. The file signature is listed there as "sha1".


An example of a OSS installer that has sha256 signature, "Git for Windows":
https://github.com/git-for-windows/git/releases/tag/v2.18.0.windows.1
-> PortableGit-2.18.0-64-bit.7z.exe

An older version of "Git for Windows" had both sha1 and sha256 signatures:
https://github.com/git-for-windows/git/releases/tag/v2.12.0.windows.1
-> PortableGit-2.12.0-64-bit.7z.exe


I first mentioned this issue 1,5 years ago. I am filing it into Bugzilla, as
release signing policy at ASF has changed recently to avoid sha-1.
https://markmail.org/message/pa4dntjqx5rwcmwb

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from Mark Thomas <ma...@apache.org> ---
The signing service has been updated to use SHA-256 for all Windows .exe
signings.

The updated service will be used for 9.0.23 onwards and 8.5.44 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> ---
Created attachment 36137
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36137&action=edit
apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Request has gone in to Symantec / Digicert. I'll update this issue when I
receive a response.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

--- Comment #6 from Mark Thomas <ma...@apache.org> ---
I've pinged DigiCert again on this. I'll post any update I receive.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
This is entirely dependent on the Digicert (was Symantec) code signing service
being updated to use SHA-256. I'll ping my friendly technical contact and see
if this is on the roadmap.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
Created attachment 36139
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36139&action=edit
PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows"
(portable) installer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62696] Consider use of sha256 for signing of .exe files of Tomcat installer.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62696

--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
Created attachment 36138
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36138&action=edit
PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows"
(portable) installer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org