info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SHA-1 Authenticode signature and legacy timestamp
89 views
Skip to first unread message
Jeremy Barton
Feb 27, 2019, 3:24:19 PM2/27/19
to dev-se...@lists.mozilla.org
This is more of a product distribution question than a security question, but it seems similar enough that it felt like a reasonable start.
Firefox.exe is Authenticode-signed using only a SHA-1-based digest. The Timestamp Authority that it uses in this signature (http://timestamp.verisign.com/scripts/timstamp.dll) is so old that its RSA signatures are not PKCS#1 conforming (they utilize the raw digest value instead of the DigestInfo version of the digest), and also based on SHA-1.
Since all of the versions of Windows that Microsoft supports support SHA-2 based Authenticode and SHA-2 based RFC3161-compliant timestamping, it seems like there shouldn't really be a reason to hang on to SHA-1 signing for the product distribution.
(If nothing else, please move to a newer TSA, since the inability to validate the signature with certain platforms is what prompted this inquiry)
-Jeremy Barton
Cryptography and Security, .NET Platform
Firefox.exe is Authenticode-signed using only a SHA-1-based digest. The Timestamp Authority that it uses in this signature (http://timestamp.verisign.com/scripts/timstamp.dll) is so old that its RSA signatures are not PKCS#1 conforming (they utilize the raw digest value instead of the DigestInfo version of the digest), and also based on SHA-1.
Since all of the versions of Windows that Microsoft supports support SHA-2 based Authenticode and SHA-2 based RFC3161-compliant timestamping, it seems like there shouldn't really be a reason to hang on to SHA-1 signing for the product distribution.
(If nothing else, please move to a newer TSA, since the inability to validate the signature with certain platforms is what prompted this inquiry)
-Jeremy Barton
Cryptography and Security, .NET Platform
dve...@mozilla.com
Feb 27, 2019, 5:55:34 PM2/27/19
to mozilla-de...@lists.mozilla.org
0 new messages