[tbb-bugs] #17870 [Tor Browser]: Some Windows 10 users experience authenticode errors if Tor Browser is signed on Linux

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 8 13:42:10 UTC 2016

#17870: Some Windows 10 users experience authenticode errors if Tor Browser is
signed on Linux
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:  closed
Component:  Tor Browser                          |      Milestone:
 Severity:  Major                                |        Version:
 Keywords:  tbb-security, TorBrowserTeam201601,  |     Resolution:  fixed
  GeorgKoppen201601                              |  Actual Points:
Parent ID:  #15538                               |         Points:
  Sponsor:                                       |

Comment (by tom):

 I tested this on Windows 10 and had no issues, as seen here:

 When I run it, it still gives the "Do you want to run this file?" prompt,
 but this is because it's a downloaded executable. the Publisher shows the
 correct name.  I don't believe there's anything Tor can do about this
 prompt.  (The only thing might be to submit it to Windows for additional
 scanning or something - but I'm not sure and I can't find any indication
 that this is an option - it's hard to search for.)

 I will note that the application is signed with SHA-1, which may cause
 issues down the road.  It would be better to dual-sign it with SHA-256
 _and_ SHA-1. (We're not an MSI, which causes problems, but .exes can be
 dual-signed. I don't know how to do this on linux, but there are
 instructions for Windows here:
 enforcement-of-authenticode-code-signing-and-timestamping.aspx ).

 SHA-256 will be untrusted as a signing algorithm in the future.  According
 to MSFT's timetable, it looks like "On Win 7 and above, blocked on
 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after
 1/1/2016 for Mark of the Web files."  Additionally as time goes on it may
 be more difficult to obtain a SHA-1 signing cert.  I don't think "Mark of
 the Web" will affect Tor, but in the unlikely situation we wanted someone
 running a 4-year-old executable, the signature will be untrusted in four

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17870#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list