[tor-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 20 13:02:51 UTC 2018
#18287: Use SHA-2 signature for Tor Browser setup executables
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201802 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by cypherpunks):
Replying to [comment:3 gk]:
> Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1245842 it seems
Mozilla is not dual-signing things either. Instead, if I understand it
correctly (https://bugzilla.mozilla.org/show_bug.cgi?id=1245895), they are
redirecting users with older systems to binaries signed with SHA1 while
properly supported ones get SHA2 signed installers.
This is for outdated pre-SP3 XP and pre-SP2 Vista. You shouldn't support
Windows installations without the latest security updates.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list