This is more of a product distribution question than a security question, but it seems similar enough that it felt like a reasonable start.
Firefox.exe is Authenticode-signed using only a SHA-1-based digest. The Timestamp Authority that it uses in this signature (http://timestamp.verisign.com/scripts/timstamp.dll
) is so old that its RSA signatures are not PKCS#1 conforming (they utilize the raw digest value instead of the DigestInfo version of the digest), and also based on SHA-1.
Since all of the versions of Windows that Microsoft supports support SHA-2 based Authenticode and SHA-2 based RFC3161-compliant timestamping, it seems like there shouldn't really be a reason to hang on to SHA-1 signing for the product distribution.
(If nothing else, please move to a newer TSA, since the inability to validate the signature with certain platforms is what prompted this inquiry)
Cryptography and Security, .NET Platform