Reviewing release candidates of Tomcat 8.5.34, 9.0.11, apache-tomcat-8.5.34.exe apache-tomcat-9.0.12.exe are both signed with sha1 signatures. I mean the following: In Windows: open File Explorer, right-click on the file to open a menu, click "Properties" item in the menu. In the file properties dialog see "Signatures" tab. The file signature is listed there as "sha1". An example of a OSS installer that has sha256 signature, "Git for Windows": https://github.com/git-for-windows/git/releases/tag/v2.18.0.windows.1 -> PortableGit-2.18.0-64-bit.7z.exe An older version of "Git for Windows" had both sha1 and sha256 signatures: https://github.com/git-for-windows/git/releases/tag/v2.12.0.windows.1 -> PortableGit-2.12.0-64-bit.7z.exe I first mentioned this issue 1,5 years ago. I am filing it into Bugzilla, as release signing policy at ASF has changed recently to avoid sha-1. https://markmail.org/message/pa4dntjqx5rwcmwb
Created attachment 36137 [details] apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer.
Created attachment 36138 [details] PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Created attachment 36139 [details] PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
This is entirely dependent on the Digicert (was Symantec) code signing service being updated to use SHA-256. I'll ping my friendly technical contact and see if this is on the roadmap.
Request has gone in to Symantec / Digicert. I'll update this issue when I receive a response.
I've pinged DigiCert again on this. I'll post any update I receive.
The signing service has been updated to use SHA-256 for all Windows .exe signings. The updated service will be used for 9.0.23 onwards and 8.5.44 onwards.