subject:"\[tor\-bugs\] #29614 \[Applications\/Tor Browser\]\: Use SHA\-256 algorithm for Windows authenticode timestamping"

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2020-04-20 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  gk
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-sign, tbb-security, tbb-8.5, |  Actual Points:
  GeorgKoppen202004, TorBrowserTeam202004R   |
Parent ID:  #33168   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Works on Windows 7 and later.
 Note: besides changing `SHA-1` to `SHA-256`, you also change `Authenticode
 timestamping` to `RFC 3161 timestamping` (see
 https://sectigo.com/resources/time-stamping-server).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2020-04-20 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  gk
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-sign, tbb-security, tbb-8.5, |  Actual Points:
  GeorgKoppen202004, TorBrowserTeam202004R   |
Parent ID:  #33168   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  assigned => needs_review
 * keywords:
 tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
 TorBrowserTeam201907
 =>
 tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
 TorBrowserTeam202004R


Comment:

 Replying to [comment:6 gk]:
 > Not to self: we likely need to adapt my patch for `osslsigncode` so that
 the `-h` option is available for the `add` command as well.

 Yes, that is needed (among other things). It took me longer to figure this
 issue out because I got confused. While `osslsigncode verify` shows the
 certs in the SHA-1 Authenticode scenario it does not show them when
 switching to RFC 3161 mode with SHA-256 which sent me digging into wrong
 direction. Not sure if that's an `osslsigncode` bug or not.

 Either way, one can extract the signature with `osslsigncode extract-
 signature` and then inspect the nitty-gritty details with `openssl pkcs7`
 and the SHA-256 timestamp is visible. I uploaded a test file for further
 inspection if needed:

 https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe
 https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe.asc

 `bug_29614` (https://gitweb.torproject.org/user/gk/tor-browser-
 spec.git/commit/?h=bug_29614&id=26d833f346d9d7bf795fe1cec81995d739f1)
 in my public `tor-browser-spec` repo contains the updated
 documentation/patch.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2020-02-06 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  gk
 Type:  defect   | Status:
 |  assigned
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-sign, tbb-security, tbb-8.5, |  Actual Points:
  GeorgKoppen202004, TorBrowserTeam201907|
Parent ID:  #33168   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: tbb-team (added)
 * owner:  tbb-team => gk
 * keywords:  tbb-security, tbb-8.5, GeorgKoppen201907, TorBrowserTeam201907
 =>
 tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
 TorBrowserTeam201907
 * status:  new => assigned
 * parent:   => #33168


Comment:

 Gonna do this while dealing with the new authenticode cert.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2019-08-25 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, tbb-8.5,   |  Actual Points:
  GeorgKoppen201907, TorBrowserTeam201907|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 https://sourceforge.net/p/osslsigncode/patches/10/#98d2/d522

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2019-03-22 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201903,  |  Actual Points:
  GeorgKoppen201903, tbb-8.5 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Not to self: we likely need to adapt my patch for `osslsigncode` so that
 the `-h` option is available for the `add` command as well.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2019-03-21 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201903,  |  Actual Points:
  GeorgKoppen201903, tbb-8.5 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:1 gk]:
 > Should be not too hard to adapt our timestamping script, see:
 https://sourceforge.net/p/osslsigncode/support-requests/9/.

 Unfortunately, this did not work. I'll need to look again at the code and
 our patch do decouple the signing from the timestamping to figure out what
 goes wrong here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2019-02-28 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201902,  |  Actual Points:
  GeorgKoppen201902  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Should be not too hard to adapt our timestamping script, see:
 https://sourceforge.net/p/osslsigncode/support-requests/9/.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

2019-02-28 Thread Tor Bug Tracker & Wiki

#29614: Use SHA-256 algorithm for Windows authenticode timestamping
-+-
 Reporter:  gk   |  Owner:  tbb-team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor |Version:
  Browser|   Keywords:  tbb-security,
 Severity:  Normal   |  TorBrowserTeam201902,
 |  GeorgKoppen201902
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:   |
-+-
 We switched to using SHA-256 for the authenticode signature but we should
 use that hash algo for the timestamp as well (currently that's still
 SHA-1)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

Re: [tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

[tor-bugs] #29614 [Applications/Tor Browser]: Use SHA-256 algorithm for Windows authenticode timestamping

8 matches

Site Navigation

Mail list logo

Footer information