[tbb-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 20 11:34:34 UTC 2018

#18287: Use SHA-2 signature for Tor Browser setup executables
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  enhancement                         |         Status:  assigned
 Priority:  Medium                              |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201802  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:

Comment (by cypherpunks):

 Replying to [comment:2 gk]:
 > Today a Windows users showed up on IRC and said they needed a 64bit Tor
 Browser because the stable 32bit one is not working on Windows 10 USN due
 to missing WoW64 ("The subsystem needed to support the image type is not
 WTF is "USN"? And, yes, 32-bit apps aren't working on Linux or Windows
 64-bit without 32-bit subsystem.
 > Furthermore, it turns out that the SHA1 signature we have on our .exe
 files is not valid on that system either: it wants a SHA2 one as SHA1 ones
 have been deprecated in Windows 10 USN and giving a unknown publisher
 yellow UAC error now.
 SHA-2 where? All Firefox .exes in https://www.mozilla.org/en-
 US/firefox/new/ have the same kind of signatures as TBB.
 > I wonder what that USN version is about and whether we could skip the
 dual-signing dance with `osslsigncode` and just provide a SHA2 signature
 given that we switch soon away from supporting XP and Vista anyway.
 You've already switched to SHA-2 signatures as Firefox 44 and don't
 provide SHA-1 ones for outdated XP and Vista versions.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list