[tbb-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 14 13:51:43 UTC 2016

#18287: Use SHA-2 signature for Tor Browser setup executables
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  enhancement               |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
Changes (by bugzilla):

 * status:  new => assigned
 * owner:  erinn => tbb-team
 * component:  Applications/Tor bundles/installation => Applications/Tor


 '''This ticket is about SHA-2 digest algorithm in digital signature (not
 (Otherwise it's a misunderstanding, taken here from Mozilla)
 As noted there:
 > "Microsoft does not require these file hashes to be done using SHA-2.
 Windows will also not enforce policies on these hashes. If pre-image
 attacks on SHA-1 become feasible we will reevaluate how the system trusts
 signatures made with such file hashes."

 There is no current need to implement it, except for additional security.
 But exactly for additional, so
 > provide both SHA-1 for older systems and SHA-2 for newer ones.
 (and exactly in this order, so SHA-1 would be the first in the list)
 This solution has as much compatibility as possible.

 (Current TBB 6.5a2 uses: SHA-1 digest + SHA-2 certificate + SHA-1
 (Current Mozilla progress is in

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list