Closed
Bug 1889336
Opened 1 month ago
Closed 29 days ago
MozillaVPN.msi is signed with SHA1 digest algorithm
Categories
(Release Engineering :: Release Automation: Signing, defect)
Release Engineering
Release Automation: Signing
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jcristau, Assigned: jcristau)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
While looking at retiring the legacy autograph_authenticode and autograph_authenticode_stub formats from signingscript, I realized we use autograph_authenticode for mozilla vpn. We really should switch it to sha2...
$ wget https://archive.mozilla.org/pub/vpn/releases/2.21.0/windows/MozillaVPN.msi
--2024-04-03 11:13:12-- https://archive.mozilla.org/pub/vpn/releases/2.21.0/windows/MozillaVPN.msi
Resolving archive.mozilla.org (archive.mozilla.org)... 34.117.35.28, 2600:1901:0:b9fd::
Connecting to archive.mozilla.org (archive.mozilla.org)|34.117.35.28|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19487232 (19M) [application/x-msi]
Saving to: ‘MozillaVPN.msi’
MozillaVPN.msi 100%[========================================================================================>] 18.58M 109MB/s in 0.2s
2024-04-03 11:13:13 (109 MB/s) - ‘MozillaVPN.msi’ saved [19487232/19487232]
$ osslsigncode verify -in MozillaVPN.msi -CAfile /etc/ssl/certs/ca-certificates.crt
Warning: MsiDigitalSignatureEx stream doesn't exist
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA1
Current DigitalSignature : 0DAEF80584FE90D4F8E00E6891C0F0999BA3A3EE
Calculated DigitalSignature : 0DAEF80584FE90D4F8E00E6891C0F0999BA3A3EE
Signer's certificate:
Signer #0:
Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
Certificate expiration date:
notBefore : Apr 9 00:00:00 2021 GMT
notAfter : Jun 19 23:59:59 2024 GMT
Number of certificates: 6
Signer #0:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0CE7E0E517D846FE8FE560FC1BF03039
Certificate expiration date:
notBefore : Nov 10 00:00:00 2006 GMT
notAfter : Nov 10 00:00:00 2031 GMT
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0409181B5FD5BB66755343B56F955008
Certificate expiration date:
notBefore : Oct 22 12:00:00 2013 GMT
notAfter : Oct 22 12:00:00 2028 GMT
------------------
Signer #2:
Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
Certificate expiration date:
notBefore : Apr 9 00:00:00 2021 GMT
notAfter : Jun 19 23:59:59 2024 GMT
------------------
Signer #3:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
Serial : 073637B724547CD847ACFD28662A5E5B
Certificate expiration date:
notBefore : Mar 23 00:00:00 2022 GMT
notAfter : Mar 22 23:59:59 2037 GMT
------------------
Signer #4:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0E9B188EF9D02DE7EFDB50E20840185A
Certificate expiration date:
notBefore : Aug 1 00:00:00 2022 GMT
notAfter : Nov 9 23:59:59 2031 GMT
------------------
Signer #5:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2023
Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial : 0544AFF3949D0839A6BFDB3F5FE56116
Certificate expiration date:
notBefore : Jul 14 00:00:00 2023 GMT
notAfter : Oct 13 23:59:59 2034 GMT
Authenticated attributes:
Message digest algorithm: SHA1
Message digest: 82DAEC38F351B6F7997F0011597E91F2A3401B2D
Signing time: Apr 1 21:13:15 2024 GMT
Microsoft Individual Code Signing purpose
URL description: https://mozilla.org
Text description: Mozilla VPN Client installer
The signature is timestamped: Apr 1 21:13:16 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial : 0544AFF3949D0839A6BFDB3F5FE56116
CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://crl3.digicert.com/sha2-assured-cs-g1.crl
TSA's CRL distribution point: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Timestamp Server Signature verification: ok
Signature verification time: Apr 1 21:13:16 2024 GMT
Signature verification: ok
Number of verified signatures: 1
Succeeded
|
||
Comment 1•1 month ago
|
||
|
|
||
Comment 2•1 month ago
|
||
|
Assignee | |
Comment 3•1 month ago
|
||
Assignee: nobody → jcristau
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•29 days ago
|
||
Verified using the latest signed artifact from main:
$ wget https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Vv68ojNPR9KhT1H-YUja9Q/runs/0/artifacts/public%2Fbuild%2FMozillaVPN.msi
--2024-04-05 15:18:32-- https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Vv68ojNPR9KhT1H-YUja9Q/runs/0/artifacts/public%2Fbuild%2FMozillaVPN.msi
Resolving firefox-ci-tc.services.mozilla.com (firefox-ci-tc.services.mozilla.com)... 35.190.5.182
Connecting to firefox-ci-tc.services.mozilla.com (firefox-ci-tc.services.mozilla.com)|35.190.5.182|:443... connected.
HTTP request sent, awaiting response... 303 See Other
Location: https://firefoxci.taskcluster-artifacts.net/Vv68ojNPR9KhT1H-YUja9Q/0/public/build/MozillaVPN.msi [following]
--2024-04-05 15:18:33-- https://firefoxci.taskcluster-artifacts.net/Vv68ojNPR9KhT1H-YUja9Q/0/public/build/MozillaVPN.msi
Resolving firefoxci.taskcluster-artifacts.net (firefoxci.taskcluster-artifacts.net)... 34.36.125.136
Connecting to firefoxci.taskcluster-artifacts.net (firefoxci.taskcluster-artifacts.net)|34.36.125.136|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19424256 (19M) [application/x-msi]
Saving to: ‘public%2Fbuild%2FMozillaVPN.msi’
public%2Fbuild%2FMozillaVPN.msi 100%[========================================================================================>] 18.52M 22.4MB/s in 0.8s
2024-04-05 15:18:34 (22.4 MB/s) - ‘public%2Fbuild%2FMozillaVPN.msi’ saved [19424256/19424256]
$ osslsigncode verify public%2Fbuild%2FMozillaVPN.msi
Warning: MsiDigitalSignatureEx stream doesn't exist
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA256
Current DigitalSignature : 19047D0BBC2F92369BB42DF7B182811CB7DFDC89F5C5C47D50D343E732022F49
Calculated DigitalSignature : 19047D0BBC2F92369BB42DF7B182811CB7DFDC89F5C5C47D50D343E732022F49
Signer's certificate:
Signer #0:
Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
Certificate expiration date:
notBefore : Apr 9 00:00:00 2021 GMT
notAfter : Jun 19 23:59:59 2024 GMT
Number of certificates: 6
Signer #0:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0CE7E0E517D846FE8FE560FC1BF03039
Certificate expiration date:
notBefore : Nov 10 00:00:00 2006 GMT
notAfter : Nov 10 00:00:00 2031 GMT
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0409181B5FD5BB66755343B56F955008
Certificate expiration date:
notBefore : Oct 22 12:00:00 2013 GMT
notAfter : Oct 22 12:00:00 2028 GMT
------------------
Signer #2:
Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
Certificate expiration date:
notBefore : Apr 9 00:00:00 2021 GMT
notAfter : Jun 19 23:59:59 2024 GMT
------------------
Signer #3:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
Serial : 073637B724547CD847ACFD28662A5E5B
Certificate expiration date:
notBefore : Mar 23 00:00:00 2022 GMT
notAfter : Mar 22 23:59:59 2037 GMT
------------------
Signer #4:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0E9B188EF9D02DE7EFDB50E20840185A
Certificate expiration date:
notBefore : Aug 1 00:00:00 2022 GMT
notAfter : Nov 9 23:59:59 2031 GMT
------------------
Signer #5:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2023
Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial : 0544AFF3949D0839A6BFDB3F5FE56116
Certificate expiration date:
notBefore : Jul 14 00:00:00 2023 GMT
notAfter : Oct 13 23:59:59 2034 GMT
Authenticated attributes:
Message digest algorithm: SHA256
Message digest: 1DE590C67A14EE347E04F6FC5CE100F61E0FA5F3F796A6B91E4665A5B03D4A2B
Signing time: Apr 4 17:35:24 2024 GMT
Microsoft Individual Code Signing purpose
URL description: https://mozilla.org
Text description: Mozilla VPN Client installer
The signature is timestamped: Apr 4 17:35:25 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial : 0544AFF3949D0839A6BFDB3F5FE56116
CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://crl3.digicert.com/sha2-assured-cs-g1.crl
TSA's CRL distribution point: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Timestamp Server Signature verification: ok
Signature verification time: Apr 4 17:35:25 2024 GMT
Signature verification: ok
Number of verified signatures: 1
Succeeded
Status: ASSIGNED → RESOLVED
Closed: 29 days ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•