|Summary:||Consider use of sha256 for signing of .exe files of Tomcat installer.|
|Product:||Tomcat 9||Reporter:||Konstantin Kolinko <knst.kolinko>|
|Component:||Packaging||Assignee:||Tomcat Developers Mailing List <dev>|
apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer.
PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Description Konstantin Kolinko 2018-09-07 14:30:03 UTC
Reviewing release candidates of Tomcat 8.5.34, 9.0.11, apache-tomcat-8.5.34.exe apache-tomcat-9.0.12.exe are both signed with sha1 signatures. I mean the following: In Windows: open File Explorer, right-click on the file to open a menu, click "Properties" item in the menu. In the file properties dialog see "Signatures" tab. The file signature is listed there as "sha1". An example of a OSS installer that has sha256 signature, "Git for Windows": https://github.com/git-for-windows/git/releases/tag/v2.18.0.windows.1 -> PortableGit-2.18.0-64-bit.7z.exe An older version of "Git for Windows" had both sha1 and sha256 signatures: https://github.com/git-for-windows/git/releases/tag/v2.12.0.windows.1 -> PortableGit-2.12.0-64-bit.7z.exe I first mentioned this issue 1,5 years ago. I am filing it into Bugzilla, as release signing policy at ASF has changed recently to avoid sha-1. https://markmail.org/message/pa4dntjqx5rwcmwb
Comment 1 Konstantin Kolinko 2018-09-07 14:33:14 UTC
Created attachment 36137 [details] apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer.
Comment 2 Konstantin Kolinko 2018-09-07 14:35:18 UTC
Created attachment 36138 [details] PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Comment 3 Konstantin Kolinko 2018-09-07 14:37:28 UTC
Created attachment 36139 [details] PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Comment 4 Mark Thomas 2018-09-07 14:42:31 UTC
This is entirely dependent on the Digicert (was Symantec) code signing service being updated to use SHA-256. I'll ping my friendly technical contact and see if this is on the roadmap.
Comment 5 Mark Thomas 2018-09-12 12:57:09 UTC
Request has gone in to Symantec / Digicert. I'll update this issue when I receive a response.
Comment 6 Mark Thomas 2019-08-09 17:36:29 UTC
I've pinged DigiCert again on this. I'll post any update I receive.
Comment 7 Mark Thomas 2019-08-14 11:51:26 UTC
The signing service has been updated to use SHA-256 for all Windows .exe signings. The updated service will be used for 9.0.23 onwards and 8.5.44 onwards.