Use sha1+sha2 dual signatures for Firefox binaries

NEW
Unassigned

Status

Release Engineering
General Automation
P3
normal
a year ago
a month ago

People

(Reporter: emk, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
I confirmed that the sha1 signature signed after Jan. 1 2016 still works if KB3033929 is not installed.

A sample binary is available here:
http://crystalmark.info/redirect.php?product=CrystalDiskMarkInstaller-ja
This binary has three signatures in the following order:
1. sha1 digest + sha1 certificate + sha1 timestamp
2. sha2 digest + sha2 certificate + sha1 timestamp
3. sha1 digest + sha2 certificate + sha1 timestamp

I tested this with the following environments:
* Windows XP SP2
* Windows XP SP3
* Windows Vista
* Windows 7 RTM
* Windows 7 SP1 with the latest patches
* Windows 7 SP1 with the latest patches minus KB3033929

We've employed sha2 single signature due to fear of the breakage on some Win7 machines. I believe we have no reason to avoid dual signatures anymore.
(Reporter)

Updated

a year ago
Blocks: 1079858
Component: Releases → General Automation
QA Contact: rail → catlee
See Also: → bug 1245895

Updated

2 months ago
Duplicate of this bug: 1362836

Updated

a month ago
Priority: -- → P3
I don't think this is useful now that we've deprecated support for XP pre-SP2 and Vista?
You need to log in before you can comment on or make changes to this bug.