Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dual-sign the installers with SHA-1 and SHA-2 #592

Closed
dscho opened this issue Jan 7, 2016 · 4 comments
Closed

Dual-sign the installers with SHA-1 and SHA-2 #592

dscho opened this issue Jan 7, 2016 · 4 comments
Assignees
@dscho
Labels
bug installer

Comments

@dscho
Copy link
Member

dscho commented Jan 7, 2016

SHA-1 is deprecated, we should use SHA-2 (and several browsers now consider SHA-1 signed executables as if they were unsigned). But Vista and pre-2008 only accept SHA-1.

Pointed out by Sunny Gakhar.
@dscho dscho self-assigned this Jan 7, 2016
@dscho dscho changed the title Stop signing the installers with SHA-1 Dual-sign the installers with SHA-1 and SHA-2 Jan 24, 2016
This was referenced Jan 24, 2016
Closed
Closed
@rimrul rimrul mentioned this issue Jan 28, 2016
Closed
@randomecho randomecho mentioned this issue Jan 29, 2016
Closed
@linquize linquize mentioned this issue Jan 30, 2016
Closed
@PhilipOakley
Copy link

I understand that getting a sha-2 cert for signing is costly, so it may be some time before a full sha-2 signing can happen.

I was thinking that it may be worth having a note about the issue "Newer browers may issue a signature warning; check using our sha1 certificate" on the download web site(s).

While the main G4W site git-for-windows.github.io is under local control, the more commonly used site for download is git-scm.com.

Would it be worth (me) attempting to add a note to the G4W site, and perhaps a more involved change to git-scm? Or does the hassle of updating the git-scm mean that the effort would be largely nugatory.

@shiftkey
Copy link

I'm not sure how this is progressing @dscho but I'll drop some notes in here about our recent adventures with this and GitHub Desktop:

  • we had an uptick in reports mid-January when Smartscreen (and IE11 where SmartScreen isn't available) reported that our installer was "invalid or corrupt"
  • the changes are documented here and this came into effect from January 1 as the relevant Windows Update propagated out to users - I don't see a mention of timestamping in the release script but maybe you're doing this already.
  • an installer signed with a SHA-1 certificate and timestamped before 2016-01-01 will be trusted for a bit longer, but because we didn't timestamp our files we got caught up in this.
  • as mentioned about, dual-signing the installer is necessary for pre-Windows 7 releases as they won't get SHA-2 support through Windows Update

dscho added a commit to git-for-windows/build-extra that referenced this issue Feb 1, 2016
@dscho
Merge branch 'signtool'
5f321a4 
Triggered by an uptick in duplicate tickets of
git-for-windows/git#592 which threatened to
drown this maintainer in increasingy unpleasant conversations (and not all
of them due to honestly not knowing where/how to report bugs), this topic
branch addresses the need to sign our .exe installers with a SHA-2
certificate, and while at it, also makes sure that the uninstaller is
signed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho
Copy link
Member Author

dscho commented Feb 1, 2016

I am pretty confident that I addressed this ticket through git-for-windows/build-extra@5f321a4 and the next release will show that it is fixed.

@dscho dscho closed this as completed Feb 1, 2016
@dscho
Copy link
Member Author

dscho commented Feb 4, 2016

Just as a follow-up: Git 2.7.0(2) is dual-signed and therefore addresses this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dscho dscho

Labels
bug installer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dscho @shiftkey @PhilipOakley