[tbb-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 20 13:02:51 UTC 2018

#18287: Use SHA-2 signature for Tor Browser setup executables
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  enhancement                         |         Status:  assigned
 Priority:  Medium                              |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201802  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:

Comment (by cypherpunks):

 Replying to [comment:3 gk]:
 > Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1245842 it seems
 Mozilla is not dual-signing things either. Instead, if I understand it
 correctly (https://bugzilla.mozilla.org/show_bug.cgi?id=1245895), they are
 redirecting users with older systems to binaries signed with SHA1 while
 properly supported ones get SHA2 signed installers.
 This is for outdated pre-SP3 XP and pre-SP2 Vista. You shouldn't support
 Windows installations without the latest security updates.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list