Bug 62696 - Consider use of sha256 for signing of .exe files of Tomcat installer.
Summary: Consider use of sha256 for signing of .exe files of Tomcat installer.
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Packaging (show other bugs)
Version: 9.0.x
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-07 14:30 UTC by Konstantin Kolinko
Modified: 2019-08-14 11:51 UTC (History)
0 users



Attachments
apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer. (10.94 KB, image/png)
2018-09-07 14:33 UTC, Konstantin Kolinko
Details
PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer. (10.07 KB, image/png)
2018-09-07 14:35 UTC, Konstantin Kolinko
Details
PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer. (9.35 KB, image/png)
2018-09-07 14:37 UTC, Konstantin Kolinko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2018-09-07 14:30:03 UTC
Reviewing release candidates of Tomcat 8.5.34, 9.0.11,
apache-tomcat-8.5.34.exe
apache-tomcat-9.0.12.exe

are both signed with sha1 signatures.

I mean the following:
In Windows: open File Explorer, right-click on the file to open a menu, click "Properties" item in the menu. In the file properties dialog see "Signatures" tab. The file signature is listed there as "sha1".


An example of a OSS installer that has sha256 signature, "Git for Windows":
https://github.com/git-for-windows/git/releases/tag/v2.18.0.windows.1
-> PortableGit-2.18.0-64-bit.7z.exe

An older version of "Git for Windows" had both sha1 and sha256 signatures:
https://github.com/git-for-windows/git/releases/tag/v2.12.0.windows.1
-> PortableGit-2.12.0-64-bit.7z.exe


I first mentioned this issue 1,5 years ago. I am filing it into Bugzilla, as release signing policy at ASF has changed recently to avoid sha-1.
https://markmail.org/message/pa4dntjqx5rwcmwb
Comment 1 Konstantin Kolinko 2018-09-07 14:33:14 UTC
Created attachment 36137 [details]
apache-tomcat-9.0.12_Properties.png, Signatures of Tomcat 9.0.12 installer.
Comment 2 Konstantin Kolinko 2018-09-07 14:35:18 UTC
Created attachment 36138 [details]
PortableGit-2.12.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Comment 3 Konstantin Kolinko 2018-09-07 14:37:28 UTC
Created attachment 36139 [details]
PortableGit-2.18.0-64-bit_Properties.png, Signatures of "Git for Windows" (portable) installer.
Comment 4 Mark Thomas 2018-09-07 14:42:31 UTC
This is entirely dependent on the Digicert (was Symantec) code signing service being updated to use SHA-256. I'll ping my friendly technical contact and see if this is on the roadmap.
Comment 5 Mark Thomas 2018-09-12 12:57:09 UTC
Request has gone in to Symantec / Digicert. I'll update this issue when I receive a response.
Comment 6 Mark Thomas 2019-08-09 17:36:29 UTC
I've pinged DigiCert again on this. I'll post any update I receive.
Comment 7 Mark Thomas 2019-08-14 11:51:26 UTC
The signing service has been updated to use SHA-256 for all Windows .exe signings.

The updated service will be used for 9.0.23 onwards and 8.5.44 onwards.