Use sha1+sha2 dual signatures for Firefox binaries

RESOLVED WONTFIX

Status

P3
normal
RESOLVED WONTFIX
3 years ago
6 months ago

People

(Reporter: emk, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
I confirmed that the sha1 signature signed after Jan. 1 2016 still works if KB3033929 is not installed.

A sample binary is available here:
http://crystalmark.info/redirect.php?product=CrystalDiskMarkInstaller-ja
This binary has three signatures in the following order:
1. sha1 digest + sha1 certificate + sha1 timestamp
2. sha2 digest + sha2 certificate + sha1 timestamp
3. sha1 digest + sha2 certificate + sha1 timestamp

I tested this with the following environments:
* Windows XP SP2
* Windows XP SP3
* Windows Vista
* Windows 7 RTM
* Windows 7 SP1 with the latest patches
* Windows 7 SP1 with the latest patches minus KB3033929

We've employed sha2 single signature due to fear of the breakage on some Win7 machines. I believe we have no reason to avoid dual signatures anymore.
(Reporter)

Updated

3 years ago
Blocks: 1079858
Component: Releases → General Automation
QA Contact: rail → catlee
See Also: → bug 1245895
Priority: -- → P3
I don't think this is useful now that we've deprecated support for XP pre-SP2 and Vista?
(Assignee)

Updated

11 months ago
Component: General Automation → General
Product: Release Engineering → Release Engineering
(In reply to bhearsum@mozilla.com (back in 2019Q1) from comment #2)
> I don't think this is useful now that we've deprecated support for XP
> pre-SP2 and Vista?

Let's go with this.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.